Scroll to navigation

user_filter(4gx) Gromox admin reference user_filter(4gx)

Name

user_filter — Service plugin for application of user login limits

Description

This plugin implements two core ideas (each independently configurable):

  • A mechanism for banning user identities for a set time window. When a user repeatedly fails to successfully authenticate, the http(8gx), imap(8gx), pop3(8gx) daemons can add the user to this list and set a time during which all authentication requests for the user are rejected. This is a bit like fail2ban, but operates on usernames rather than hosts/IP addresses.
  • A mechanism for rate-limiting authentication attempts. Whenever a user tries to authenticate, the daemons convey the occurrence to the user_filter plugin, and the plugin ensures that only a given amount of attempts can be made per time quantum, per user. This is a bit like iptables -m (hash)limit.

Configuration directives (gromox.cfg)

Treat usernames as case-insensitive within the user_filter plugin.
Default: true
Controls how much memory the banlist mechanism of user_filter is allowed to use at most, by limiting the number of unique usernames recorded. The list replacement policy is none (so, slightly different from MRU). The value 0 therefore deactivates user_filter's banlist mechanism.
Default: 1000
Controls how much memory the rate-limiting mechanism of user_filter is allowed to use at most, by limiting the number of unique usernames. The list replacement policy is none. The value 0 therefore deactivates user_filter's rate-limiting mechanism.
Default: 0
Rate-limit all authentication calls to rl_maxtries per rl_window. Note that there can be a lot of requests, particularly over MAPI/HTTP since every single HTTP request counts as one attempt. (Opening a message with MFCMAPI already incurs 4 HTTP requests. The Windows EMSMDB connector is anything but efficient.)
Default: 10
Rate-limit all authentication attempts to rl_maxtries per rl_window.
Default: 1minute

See also

gromox(7)

Gromox