This section provides detailed information on the Protect against brute-force attacks option that is available on SPS, on Basic Settings > Local Services > Web login.
NOTE: You can configure the Protect against brute-force attacks option only under Web login (admin and user), but these settings are inherited by the Web login (user only) settings too.
The web login addresses of administrators and users are, by default, protected against brute-force attacks: after the users reach the configured number of unsuccessful login attempts, SPS denies all following attempts for the configured time. You can turn this off by deselecting the Protect against brute-force attacks option for the web login addresses.
The Protect against brute-force attacks option blocks the user name or the IP address based on the following:
If the number of unsuccessful login attempts from the same IP address with any user name exceeds the threshold, the IP address is blocked.
If the number of unsuccessful login attempts with a user name from different IP addresses exceeds the threshold, the user name is blocked for all IP addresses.
The rejected authentication attempts that are made during the blocking do not increase the lockout counters.
NOTE: The admin user is also subject to brute-force attack protection.
The default operation of the Protect against brute-force attacks option is that after 20 unsuccessful login attempts, the user name or the IP address is blocked for 10 minutes.
Attempt limit: 1-50 attempts
Lockout period: 1-720 minutes
During the blocking, the blocked users receive the Unable to authenticate error message both if valid or invalid credentials are entered.
NOTE: The Unable to authenticate error message does not provide more details about the error and the possible solutions so as not to provide more information if an attacker receives this error message.
If a user name or an IP address is blocked, a log event is created, which provides the details about the blocking. The log event contains the following:
Cause of the blocking
Duration of the blocking
The following example provides the details about the blocking of a user name. The blocked user name is admin and the IP address used is 192.168.1.1. The reason for the blocking is that the user has exceeded the allowed number of unsuccessful authentication attempts. This user is blocked for 300 seconds.
Authentication denied, too many attempts, username is locked out; username='admin', remote_address='192.168.1.1', lockout='300'
The following example provides the details about the blocking of an IP address. The user is admin and the blocked IP address is 192.168.1.1. The reason for the blocking is that the allowed number of unsuccessful authentication attempts has been reached from this IP address. This IP address is blocked for 300 seconds.
Authentication denied, too many attempts, remote_addr is locked out; username='admin', remote_address='192.168.1.1', lockout='300'
The web lockout counter for a user name or IP address is reset if:
The lockout period is over.
The server is rebooted.
The secondary node becomes active after an HA failover.
After the root user clears the list of blocked users/IP addresses on the Troubleshooting page of the text-based physical or SSH console.
NOTE: If you are the root user, on the Troubleshooting page of the text-based physical or SSH console, you can clear the list of blocked user names and IP addresses using the Clear list of blocked users/IPs option. If you clear the list, users and IP addresses that previously were blocked due to exceeding the allowed number of web login attempts can attempt logging in again. Clearing the list does not disable the Protect against brute-force attacks option.
To configure the Protect against brute-force attacks option, on SPS, navigate to Basic Settings > Local Services > Web login.
Figure 55: Basic Settings > Local Services > Web login
For information on how to configure the web login for administrators and users, and as part of it, how to configure the Protect against brute-force attacks option, see section Configuring user and administrator login addresses.
You can assign logical interfaces to a physical interface. Each logical interface must have its own VLAN ID, and can have its own set of (alias) IP addresses and prefixes. The configured name for each logical interface is visible on One Identity Safeguard for Privileged Sessions (SPS)'s user interface only.
You can configure IPv4 and IPv6 addresses as well. IPv6 is intended for configuring monitored connections. Local services (including the web login) require IPv4 addresses. An interface can have multiple IP addresses, including a mix of IPv4 and IPv6 addresses.
NOTE: SPS does not support scenarios with two hosts using the same IP address on different VLAN groups.
To manage logical interfaces
Navigate to Basic Settings > Network > Interfaces.
Figure 56: Basic Settings > Network > Interfaces — Managing the logical interfaces
If necessary, use the label on the SPS hardware to identify the physical interface to which you want to assign a logical interface.
Choose to add a new logical interface. Provide the following:
VLAN: The VLAN ID of the logical interface. Optional.
Do not set the VLAN ID unless your network environment is already configured to use this VLAN. Otherwise, your SPS appliance will be unavailable using this interface.
Address: The IP address of the logical interface.
Alternatively, you can also enter a hostname instead. One Identity Safeguard for Privileged Sessions (SPS) automatically resolves the hostname to an IP address.
NOTE: Note the following limitations:
SPS uses the Domain Name Servers set in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.
If the Domain Name Server returns multiple IP addresses, SPS selects randomly from the list.
NOTE: Do not use IP addresses that fall into the following ranges:
220.127.116.11/16 (reserved for communication between SPS cluster nodes)
127.0.0.0/8 (localhost IP addresses)
Prefix: The IP range of the logical interface.
Optional: To add additional (alias) IP addresses and prefixes to a logical interface, click . To remove an alias IP address, click the corresponding .
MTU: Maximum Transmission Unit (MTU) to set per network interface (VLAN or network interface card). The default value is 1500.
Name: The name of the logical interface. This name is visible on SPS's user interface only.
To remove a logical interface, choose the on the right side.
You can enable routing between logical interfaces, which allows you to direct uncontrolled traffic through SPS.
To enable routing between logical interfaces
Navigate to Basic Settings > Network > IP forwarding.
Figure 57: Basic Settings > Network > IP forwarding — IP forwarding between interfaces
To add a new forwarding rule, choose and select the two logical interfaces to connect. You can select the same interface in both fields to use that logical interface in single-interface router mode.
To delete an existing rule, choose .
The routing table contains the network destinations SPS can reach. You have to make sure that both the monitored connections, and the local services of SPS (including connections made to the backup and archive servers, the syslog server, and the SMTP server) are routed properly.
You can add multiple IPv4 and IPv6 addresses and address ranges along with their respective gateways.
To configure the routing table
To add a new routing entry, navigate to Basic Settings > Network.
You can add interface-specific network routes using the Advanced routing option of each interface. Otherwise, use the Routing table option to manage networking routes.
Figure 58: Basic Settings > Network > Routing table — Routing
Click , then enter the IP address and the network prefix into the Network field.
Enter the IP address of the gateway used on that subnetwork into the Gateway field.