4.5. Configuring Protection Against Brute-Force Attacks

To protect the system against brute-force (or password guessing) attacks, Virtuozzo PowerPanel can use device cookies as an extra authenticator for user devices. This allows the system to distinguish between trusted and untrusted clients and temporarily lock the latter out.

Protection is enabled by default.

To configure protection behavior, edit the following parameters in the [device_cookie] section of the /etc/keystone/keystone.conf configuration file:

lockout_enable (default: boolean True)

Enables and disables protection. Set to boolean False to disable protection.

lockout_failure_attempts (default: 5)

The maximum number of authentication attempts that a user can fail before the device cookie or untrusted client is locked for the number of seconds specified in lockout_duration.

lockout_duration (default: 600)

The number of seconds a device cookie or an untrusted client is locked for after failing as many authentication attempts as specified in lockout_failure_attempts.

jws_key_repository (default: /etc/keystone/device-cookie-keys/)

The directory with the public and private keys for validating JSON web signatures (JWS). Must be readable by Keystone’s server process.

Restart the Apache HTTP Server on the controller to apply changes:

# systemctl restart httpd


As blocked users are stored in the memory cache, restarting Keystone gives them an additional attempt to guess the password before lockout.