Rebex Buru SFTP Server documentation

Account lockout

Account lockout is a basic mechanism which protects passwords against brute-force attacks. After each failed login attempt a failed login counter is incremented by one. Once the counter reaches threshold (10 by default) the account is locked and all further login attempts (with valid password or not) in the next 15 minutes will result in login failure. This period can be configured by lockoutDuration property. The account lockout can be disabled by setting threshold to 0.

The counter is reset after successful login or after a time period following last login attempt. This value can be configured by setting resetCounterPeriod property. This value is auto-set to lockoutDuration if not set explicitly and must always be greater or equal to lockoutDuration property.

Manual lockout

A user account can be manually locked to disable user login. The account can be locked and be unlocked only for a period of time when it is needed. It is useful for example for an administrators account which is needed once in a while.

Manual lockout can be done either using Rebex Buru SFTP Server Web Administration or burusftp user update <username> --lock command.

Unlocking users

Users can be manually unlocked either using Rebex Buru SFTP Server Web Administration or burusftp user update <username> --unlock command.


Account lockout (manual or via failed login counter) is shared with both Rebex Buru SFTP Server and Rebex Buru SFTP Server Web Administration.

See also configuration file manual and command line manpage.

What next?


Download fully functional free 30-day trial.

Free download

Non-commercial use

Get a free non-commercial license. It includes most of the features of Professional edition.

Get free license

Commercial use

If you use the server for anything related to business or commercial use you have to purchase a license.

Sales contact

Buy a license

Get help

The server is completely free for personal, academy and other non-commercial use.

Technical support