User Lockout
CloverDX can lock out a user access after a set number of unsuccessful login attempts as a way of protecting against brute force attacks on users' credentials.
The lockout occurs only in CloverDX. For example, it will not affect LDAP in the case of LDAP user authentication. By default, the feature is disabled.
Information regarding user lockout is stored in the USER_ACTION server log. Notifications can be sent via email; however, it is necessary to set up a connection to an SMTP server in the E-mail tab of the Setup GUI.
The feature has several parameters which can be set by modifying the following lines in the configuration file; either directly or in the Configuration File tab of the Setup GUI:
Table 21.5. User lockout parameters
Parameter | Description |
---|---|
security.lockout.login.attempts | Limits the number of login attempts of the user. The next failed login attempt will lock the user's access. When setting the value, keep in mind that CloverDX Designer with several server projects can attempt to log in multiple times.
The recommended value is |
security.lockout.reset.period |
Represents the period (in seconds) during which failed login attempts are counted.
If no such attempt occurs during this period,
the counter of failed login attempts is reset to
The default value is |
security.lockout.unlock.period | Represents the period (in seconds) after which a successful login attempt will unlock the previously locked user. After this period, the user is able to login using his credentials again without the need to have his account unlocked by the administrator. The parameter protects the system against denial of service (DoS) attacks and should be set to a reasonable value, so you are not locked out of the system for too long, in case the administrator's account is affected by the attack.
The default value is |
security.lockout.notification.email | The parameter represents a comma separated list of emails of persons who should be notified when a user lockout occurs. Note that the locked out user receives the notification email automatically (if the server's SMTP is configured and they have provided their email address). This parameter should therefore be set, for example, to an administrators' mail group so they are aware of the situation. |
The recommended, default values are set in such a way as to efficiently protect the system against brute force attacks, prevent complete lockout of the administrator access and not limit users in standard usage of CloverDX Server.
The properties can be set in the following section of the properties file:
## Uncomment lines bellow to enable user lockout after number of failed logins
## Number of failed login attempts after which a next failed login attempt will lock the user
## 0 means feature is switched off
## default suggested value is 50
#security.lockout.login.attempts=50
## Periods are specified in seconds
## Period of time during which the failed login attempts are counted
## Default is 60s (1 min)
#security.lockout.reset.period=60
## Period of time after which a successful login attempt will unlock previously locked user
## Default is 300s (5 min)
#security.lockout.unlock.period=300
## Comma separated list of emails which will be notified when user is locked out.
#security.lockout.notification.email=
Unlocking User
Once the user's access is locked, you can see the status in the Users tab of the Configuration section.
To unlock the user, click on the Action column and choose Unlock.
button in the respective row of the