Configuring the Brute Force IP Lockout Feature

Brute Force Attacks use a process of trial-and-error to guess the right credentials.  The attack works by using repeated sequential attempts to try and guess your username and password combination and force their way into your private accounts.  While considered an old attack method it’s still effective and popular with Cyber Criminals as it can result in relatively quick results depending on the length and complexity of your passwords.

Brute Force Attacks come in many unsavoury flavours and include;

Simple Brute Force Attacks: Where the attempt is to logically guess your credentials without the use of software tools or other means.

Dictionary Attacks: Where targeted accounts are subjected to repeated attempts of gaining access based on dictionaries containing known passwords.  Dictionary attacks are considered one of the most basic tools used in brute force attacks.

Reverse Brute Force Attacks: This style of attack starts with a password and then millions of usernames are searched through until a match is found. The starting point is usually by referencing leaked passwords available as a result of data breaches.

Credential Stuffing:  Is where Username and Password combinations that have worked for one website are retried against other websites the targeted individual may use.

Does Passwordstate Protect Against Brute Force Attacks

Yes, Passwordstate has a number of options for Blocking Brute Force Attacks to your Passwordstate webserver.  The first is located under Administration->System Settings->authentication options->Web Authentication Options.  Here you can specify the number of permitted failed login attempts before Passwordstate locks out the IP Address for the active session as per the screenshot below;  

You can also delay the returned error message by the specified number of seconds.  This makes it harder for Cyber Criminals to identify if the account actually exists (so they can harvest valid account details), or if the password supplied is simply incorrect.

The next option is to configure X-Forwarded-For support.  X-Forwarded-For is a standard header for identifying the originating IP address of a client connecting to a web server through a Firewall, HTTP proxy or load balancer.  When configured, in Passwordstate and your upstream devices, it enables you to lock-out the IP address of the computer the user is logged into and not the upstream device such as the Firewall.  Note your upstream device also needs to be configured for X-Forwarded-For support.

To tell Passwordstate you have configured your device for X-Forwarded-For support, navigate to Administration->System Settings->proxy & syslog servers-> X-Forwarded-For Support and enter the IP Addresses of trusted devices as per the screenshot below;

Note as of Passwordstate V9 Build 9117, we have added in an additional feature that takes the username into consideration when locking out an IP Address.  In these examples, it means that 3 unsuccessful login attempts, from the same user/IP address will lock their IP Address out if they were accessing your site from behind a device that isn’t configured for X-Forwarded-For Support.

Some users have been incorrectly Locked Out

This can happen if you set too aggressive a target for failed logins.  It’s a fine balancing act between not penalizing users when they incorrectly enter their details and preventing Brute Force attacks.  Every organization should consider the risk and impact and set the number of failed logins accordingly.

However, if a user’s IP address has been incorrectly blocked you can remove the blocked IP address by navigating to Administration->Brute Force Blocked IPs and select the Action icon next to the incorrectly blocked IP and click on Remove Blocked IP Address as per the screenshot below;

Make Brute Force Attacks Harder

Even though you can apply the settings outlined above there are still some prudent steps you can take to make it harder for a Brute Force Attacks. 

The first of these is to always use strong passwords.  Remember dictionary attacks using a list of common passwords, or a hybrid brute force attack that performs small changes to words by adding numbers or changing the letter case, are likely to succeed in some cases.  You need strong passwords to make their life harder.  Secondly, use 2FA where it makes sense.  Two-factor authentication can prevent Cyber Criminals from gaining access to your accounts.  It makes it nearly impossible for them to gain access to an account via a Brute Force Attack.

Have feedback, then we’d love to hear it via