4.5. Configuring Protection Against Brute-Force Attacks¶
To protect the system against brute-force (or password guessing) attacks, Virtuozzo PowerPanel can use device cookies as an extra authenticator for user devices. This allows the system to distinguish between trusted and untrusted clients and temporarily lock the latter out.
Protection is enabled by default.
To configure protection behavior, edit the following parameters in the [device_cookie] section of the /etc/keystone/keystone.conf configuration file:
lockout_enable(default: booleanTrue)Enables and disables protection. Set to boolean
Falseto disable protection.lockout_failure_attempts(default: 5)The maximum number of authentication attempts that a user can fail before the device cookie or untrusted client is locked for the number of seconds specified in
lockout_duration.lockout_duration(default: 600)The number of seconds a device cookie or an untrusted client is locked for after failing as many authentication attempts as specified in
lockout_failure_attempts.jws_key_repository(default:/etc/keystone/device-cookie-keys/)The directory with the public and private keys for validating JSON web signatures (JWS). Must be readable by Keystone’s server process.
Restart the Apache HTTP Server on the controller to apply changes:
# systemctl restart httpd
Note
As blocked users are stored in the memory cache, restarting Keystone gives them an additional attempt to guess the password before lockout.