4.5. Configuring Protection Against Brute-Force Attacks¶
To protect the system against brute-force (or password guessing) attacks, Virtuozzo PowerPanel can use device cookies as an extra authenticator for user devices. This allows the system to distinguish between trusted and untrusted clients and temporarily lock the latter out.
Protection is enabled by default.
To configure protection behavior, edit the following parameters in the
[device_cookie] section of the
/etc/keystone/keystone.conf configuration file:
Enables and disables protection. Set to boolean
Falseto disable protection.
The maximum number of authentication attempts that a user can fail before the device cookie or untrusted client is locked for the number of seconds specified in
The number of seconds a device cookie or an untrusted client is locked for after failing as many authentication attempts as specified in
The directory with the public and private keys for validating JSON web signatures (JWS). Must be readable by Keystone’s server process.
Restart the Apache HTTP Server on the controller to apply changes:
# systemctl restart httpd
As blocked users are stored in the memory cache, restarting Keystone gives them an additional attempt to guess the password before lockout.