Failed Logon Attempts Policy¶

Before you start¶

Goal

Define an appropriate policy for detecting and responding to failed logon attempts for internal Altair SLC Hub users

To guard against brute force attempts to crack passwords for Altair SLC Hub users, Altair SLC Hub can be configured to track failed logon attempts. This is disabled by default, but it is recommended to enable this if internal Altair SLC Hub users are used.

Configuration¶

The brute force detection policy is configured using the auth.bruteForceDetectionPolicy configuration section.

To create a custom brute force detection policy, create a new configuration file in the etc/config.d directory with a name such as passwordpolicy.yaml, with contents such as:

auth:
   bruteForceDetectionPolicy:
     enabled: true
     clearFailuresAfter: 12h
     maxLoginFailures: 5
     waitIncrement: 1m
     maxFailureWait: 15m
     maxTemporaryLockouts: 2
     permanentLockout: true

An example configuration, along with comments on the configuration settings can be found in the etc/config.d/auth.yaml configuration file.

Note that the configuration files in the etc/config.d directory are read in alphabetical order. However, there are no explicit settings in any installation supplied configuration files relating to the brute force detection policy, so the name of the file containing any custom brute force detection policy does not have to be alphabetically later than auth.yaml for it to have an effect.

Configuration Settings¶

clearFailuresAfter¶

This is the maximum time between logon failures that are considered. If a logon failure occurs more than this duration after the last one, the logon failure count is reset.

maxLoginFailures¶

This is the maximum number of logon failures before a lockout (temporary or permanent) is triggered.

waitIncrement¶

This the duration of any temporary lockout. Note that each subsequent temporary lockout increases by this amount but only up to the value of maxFailureWait.

For example, if maxLoginFailures is set to 2 and waitIncrement is set to 5m then after 2 logon failures the user will be logged out for 5 minutes. Then after 2 further logon failures the user would be locked out for 10 minutes, and so on, up to the value of maxFailureWait.

maxFailureWait¶

This is the maximum amount of time that a user will be temporarily locked out for on any given lockout.

maxTemporaryLockouts¶

This is the maximum number of times a user can be temporarily locked out before being permanently locked out. Only relevant if permanentLockout is true

permanentLockout¶

Indicates whether a user will be permanently locked out if the maximum number of temporary lockouts is exceeded.

Restart Altair SLC Hub¶

Having changed the password validation configuration, first verify that the configuration is read from the files correctly using the hubctl config print command:

hubctl config print auth.bruteForceDetectionPolicy

It is then necessary to restart the authentication service in order for the change in configuration to have an effect. Restart the service using the following command:

hubctl service restart auth