Locking Accounts After Failed Attempts

Greetings all,

I was wondering if there is any way to auto lock an account after a number of failed login attempts? This includes the admin account to protect against password attacks.

Regards

Hi @asfoorial

You can use the below configuration in your config.yml file.

auth_failure_listeners:
      ip_rate_limiting:
        type: ip
        allowed_tries: 3
        time_window_seconds: 3600
        block_expiry_seconds: 600
        max_blocked_clients: 100000
        max_tracked_clients: 100000
      internal_authentication_backend_limiting:
        type: username
        authentication_backend: internal        
        allowed_tries: 3
        time_window_seconds: 3600
        block_expiry_seconds: 600
        max_blocked_clients: 100000
        max_tracked_clients: 100000
2 Likes