This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:bruteforceprotection [2020/01/15 21:45] (current)
Line 1: Line 1:
 +====== Brute Force Protection plugin ======
 +This plugin prevents brute force attack. Plugin DISABLED by default.
 +After some failed login attempts, user must wait (30 seconds by default) before trying to log in again.
 +The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of an user. If disabled, automated tools may submit thousands of password attempts in a matter of seconds.
 +===== Configuration =====
 +To enable Brute Force Attack protection :
 +Go in Manager, ''​General Parameters''​ » ''​Advanced Parameters''​ » ''​Security''​ » ''​Brute-force attack protection''​ and set to ''​On''​.
 +To modify waiting time (30 seconds by default) before reAuthentication,​ MaxAge between current and last stored failed login (300 seconds by default) or number of allowed failed login attempts (3 by default) edit ''​lemonldap-ng.ini''​ in section [portal]:
 +<file ini>
 +bruteForceProtectionTempo = 30
 +bruteForceProtectionMaxAge = 300
 +bruteForceProtectionMaxFailed = 3
 +<note important>​
 +Number of failed login attempts stored in history MUST be higher than allowed failed logins for this plugin takes effect.