table of contents
user_filter(4gx) | Gromox admin reference | user_filter(4gx) |
Name¶
user_filter — Service plugin for application of user login limits
Description¶
This plugin implements two core ideas (each independently configurable):
- A mechanism for banning user identities for a set time window. When a user repeatedly fails to successfully authenticate, the http(8gx), imap(8gx), pop3(8gx) daemons can add the user to this list and set a time during which all authentication requests for the user are rejected. This is a bit like fail2ban, but operates on usernames rather than hosts/IP addresses.
- A mechanism for rate-limiting authentication attempts. Whenever a user tries to authenticate, the daemons convey the occurrence to the user_filter plugin, and the plugin ensures that only a given amount of attempts can be made per time quantum, per user. This is a bit like iptables -m (hash)limit.
Configuration directives (gromox.cfg)¶
- userfilter_icase
- Treat usernames as case-insensitive within the user_filter plugin.
Default: true - userfilter_maxbans
- Controls how much memory the banlist mechanism of user_filter is allowed
to use at most, by limiting the number of unique usernames recorded. The
list replacement policy is none (so, slightly different from MRU). The
value 0 therefore deactivates user_filter's banlist mechanism.
Default: 1000 - userfilter_maxusers
- Controls how much memory the rate-limiting mechanism of user_filter is
allowed to use at most, by limiting the number of unique usernames. The
list replacement policy is none. The value 0 therefore deactivates
user_filter's rate-limiting mechanism.
Default: 0 - userfilter_rl_maxtries
- Rate-limit all authentication calls to rl_maxtries per rl_window. Note
that there can be a lot of requests, particularly over MAPI/HTTP
since every single HTTP request counts as one attempt. (Opening a message
with MFCMAPI already incurs 4 HTTP requests. The Windows EMSMDB connector
is anything but efficient.)
Default: 10 - userfilter_rl_window
- Rate-limit all authentication attempts to rl_maxtries per rl_window.
Default: 1minute
See also¶
Gromox |