This section provides detailed information on the Protect against brute-force attacks option that is available on SPS, on Basic Settings > Local Services > Web login.
NOTE: You can configure the Protect against brute-force attacks option only under Web login (admin and user), but these settings are inherited by the Web login (user only) settings too.
Operation of the Protect against brute-force attacks option
The web login addresses of administrators and users are, by default, protected against brute-force attacks: after the users reach the configured number of unsuccessful login attempts, SPS denies all following attempts for the configured time. You can turn this off by deselecting the Protect against brute-force attacks option for the web login addresses.
The Protect against brute-force attacks option blocks the user name or the IP address based on the following:
-
If the number of unsuccessful login attempts from the same IP address with any user name exceeds the threshold, the IP address is blocked.
-
If the number of unsuccessful login attempts with a user name from different IP addresses exceeds the threshold, the user name is blocked for all IP addresses.
The rejected authentication attempts that are made during the blocking do not increase the lockout counters.
NOTE: The admin user is also subject to brute-force attack protection.
The default operation of the Protect against brute-force attacks option is that after 20 unsuccessful login attempts, the user name or the IP address is blocked for 10 minutes.
Accepted values:
-
Attempt limit: 1-50 attempts
-
Lockout period: 1-720 minutes
During the blocking, the blocked users receive the Unable to authenticate error message both if valid or invalid credentials are entered.
NOTE: The Unable to authenticate error message does not provide more details about the error and the possible solutions so as not to provide more information if an attacker receives this error message.
Log messages about blocked user names and IP addresses
If a user name or an IP address is blocked, a log event is created, which provides the details about the blocking. The log event contains the following:
-
Cause of the blocking
-
User name
-
IP address
-
Duration of the blocking
Example: log message about a blocked user name
The following example provides the details about the blocking of a user name. The blocked user name is admin and the IP address used is 1.2.3.4 The reason for the blocking is that the user has exceeded the allowed number of unsuccessful authentication attempts. This user is blocked for 60 minutes.
Authentication denied, too many attempts, username is locked out; username='admin', remote_address='1.2.3.4', lockout='60 min'
Example: log message about a blocked IP address
The following example provides the details about the blocking of an IP address. The user is admin and the blocked IP address is 1.2.3.4 The reason for the blocking is that the allowed number of unsuccessful authentication attempts has been reached from this IP address. This IP address is blocked for 40 minutes.
Authentication denied, too many attempts, remote_address is locked out; username='admin', remote_address='1.2.3.4', lockout='40 min'
Unblocking blocked user names and IP addresses
The web lockout counter for a user name or IP address is reset if:
-
The lockout period is over.
-
The server is rebooted.
-
The secondary node becomes active after an HA failover.
-
After the root user clears the list of blocked users/IP addresses on the Troubleshooting page of the text-based physical or SSH console.
NOTE: If you are the root user, on the Troubleshooting page of the text-based physical or SSH console, you can clear the list of blocked user names and IP addresses using the Clear list of blocked users/IPs option. If you clear the list, users and IP addresses that previously were blocked due to exceeding the allowed number of web login attempts can attempt logging in again. Clearing the list does not disable the Protect against brute-force attacks option.
Configuring the Protect against brute-force attacks option
To configure the Protect against brute-force attacks option, on SPS, navigate to Basic Settings > Local Services > Web login.
Figure 55: Basic Settings > Local Services > Web login
For information on how to configure the web login for administrators and users, and as part of it, how to configure the Protect against brute-force attacks option, see section Configuring user and administrator login addresses.