Introduced in Variphy version 12.4 Brute Force Login Protection provides the ability to lock (Jail) User ID’s and\or IP Addresses based on invalid login attempts. Administrators have the ability to configure the number of attempts within a specified timeframe, length of time a jailing occurs and remove a User or IP from jail.
Brute Force Login Protection currently supports local Variphy login attempts and can not block SAML or Active Directory failed login attempts.
How to enable Brute Force Login Protection
- Navigate to Variphy System Settings > User Accounts & Groups
- Once in User Accounts & Groups navigate to the Settings page
- Toggle on IP Address Protection and\or Username Protection. The options can both be enabled with unique thresholds.
- IP Address Protection will lock out an IP Address that has X number of failed login attempts based on your configured thresholds.
- Username Protection will lock out a Username that has X number of failed login attempts based on your configured thresholds.
Configuring Brute Force Protection thresholds
Once protection is enabled you will be presented with several options to define the protection thresholds, send an email when a Username or IP Address is locked and release a locked out Username or IP Address.
- The First threshold defines how many times a failed login can be attempted before it is locked out.
- The second threshold defines how many times a login can be attempted with this time period before it is locked out. Option 1 and 2 work in conjunction.
- The third threshold defines how long a user is locked out.
In the below example someone must attempt to login 5 times within 10 minutes to be locked out and they will be locked out for 4 minutes.
Once a Username or IP Address has been locked an email alert can be sent providing information on the Username and\or IP Address that has been locked.
How to remove a Username or IP Address from Jail.
Once a Username or IP Address has been jailed the person attempting to log in will receive a message stating “Your Account has been locked. Try again later, and if you still have trouble, contact your admin.”
To unlock a user you must log into Variphy using an Administrator Account. If you are locking the IP Address you must navigate to the Variphy web interface from a different IP Address.
- Once logged into Variphy as an Administrator navigate to System Settings > User Accounts & Groups
- Once in User Accounts & Groups navigate to the Settings page.
At the bottom of the Settings page click the delete icon to remove the user or IP Address from Jail and Save to release the Username or IP Address from jail.
If you have locked out the Variphy “Admin” account you will need to wait for the defined thresholds to pass or generate an account recovery key and contact Variphy Customer Support.