# Intrusion Prevention
# Brute-force Prevention
For organizations that desire an additional level of security, we provide a intrusion prevention feature which will lock user out after a given number of failed login attempts. This feature can be enabled by setting the lockout configuration in the application configuration file.
# Password Rules
It may also be desirable to enable specific password rules such as minimum length, enforcing certain characters, and requiring password resets at certain intervals. These features can be enabled by setting password_min_length, password_requirements and password_expire_days.
# Sample Configuration:
The following example configuration adds strong password requirements and will trigger an IP ban for 2 minutes after 5 failed login attempts within 1 minute, and store 100 MBs of authentication logs.
password_expire_days: 90 password_min_length: 8 password_requirements: upper_case: yes lower_case: yes digits: yes special_characters: yes lockout: enabled: true max_attempts: 5 interval: 60 ban_duration: 120 authentication_log: enabled: yes path: /var/log/filemage/auth.log max_size_mb: 10 max_backups: 10 compress: yes
# Authentication Logging
Detailed logging of all authentication events can be enabled using the configuration parameters authentication_log. These logs can shipped to external systems for alerting or visualization purposes.
LOGIN_SUCCESS: user provided valid credentials LOGIN_FAILED: user provided invalid credentials LOGIN_BLOCKED: login attempt from blocked IP address IP_BANNED: IP address banned after too many failed login attempts BAN_EXPIRED: IP address ban expired