To make sure that the user account cannot be compromised by password guessing, the Login page and User blocking functionality can be used in the system.
Currently, two types of blocking functionality can be distinguished in the system: so-called “Hard” and “Soft” blocking.
Configuration: System Configuration - Block User Login
Soft Block Configuration
Soft blocking — is blocking of the login page to prevent further attacks for a specified period of time after certain number of failed attempts occur. On the blocked login page the user will not be able to perform any other login attempts until the blocking time elapses, but the Forgot your password functionality will be available. After the specified period of time the login page will automatically become active.
In order to activate soft blocking functionality, configure the following parameters:
Parameter name | Description |
|---|---|
Enable | This parameter enables soft blocking that prevents further attempts to compromise user account by blocking login page. The parameter is turned off by default. |
Number of Failed Attempts before Blocking | Specify the number of failed log in attempts after which login page will be blocked for further login attempts. Default value is 3. |
Period of time in seconds, that specifies how long the login page will be blocked for further log in attempts after the user failed to log in the number of times specified in Number of Failed Attempts before Blocking property. Default period is 20 seconds. | |
Number of Failed Attempts Before Sending an Email | Number of failed attempts to log in after which the email will be sent to notify about the possible attack. |
A template for the emails that will be sent to notify about possible attack to the email addresses specified in Email Address property. | |
Blocking mail properties — includes places holders that will be replaced with actual data | ${date} — the date when the attack was performed ${time} — the time when the attack was performed ${sysName} — the name of the system specified by the systemName property ${userName} — the name of the user for whose login the attack was performed ${times} — the number of performed attacks ${ip} — IP address from which the last unsuccessful login was performed ${ipList} — the list of all IP addresses from which failed login attempts were performed |
Note!
The number of already performed failed login attempts will be reset in the following cases:
After login page blocking time elapses
After the user logs in successfully
The user resets his password via the Forgot your password functionality
The application server is restarted
Hard Block Configuration
Hard blocking — is making the user inactive after specified number of failed login attempts is performed for his login. The inactivated user can only be made active by the system administrator. According to the standard system functionality, the inactivated user will not be able to log in to the system or reset his password. In order to active the hard blocking functionality, configure the following properties:
Parameter name | Description |
|---|---|
Enable | The parameter enables hard blocking that inactivates a user who performed a certain number of failed log in attempts. Disabled by default |
Number of Failed Attempts before Blocking | The number of failed log in attempts after which the user will be made inactive. As soon as the user is inactive, he will not be able to log in to the system even by entering correct login and password or reset his/her password via Forgot Your Password Functionality. Default value is “10”. |
Seconds to Store Count of Unsuccessful Login Attempts | Period of time during which the number of already performed failed log in attempts will be stored. After the period of time elapses, the number of already performed failed log in attempts will be reset to 0. Default value is 24 hours starting from the first failed log in attempt. |
Email Template | A template for the emails that will be sent to notify about possible attack to the email addresses specified in Email Address property. |
Notification
Parameter name | Description |
|---|---|
Email Address | The email address to which notification about possible attack will be sent after the user performed the number of failed login attempts specified in Number of Failed Attempts Before Sending an Email property. It is possible to specify several emails separated by commas. |
Notify User | Enable to send the notification email about possible attack to the user for whose login the attack is performed. The email will be send respecting the number of attempts specified in the Number of Failed Attempts Before Sending an Email property. Disabled by default |