Account lockout

Account lockout is a basic mechanism that protects passwords against brute-force attacks. After each failed login attempt, a failed login counter is incremented by one. Once the counter reaches the threshold (10 by default), the account is locked and all further login attempts (with valid password or not) in the next 15 minutes will result in login failure. This period can be configured by the lockoutDuration property. The account lockout can be disabled by setting the threshold to 0.

The counter is reset after a successful login or after a time period following the last login attempt. This value can be configured by setting the resetCounterPeriod property. This value is auto-set to lockoutDuration if not set explicitly and must always be greater than or equal to the lockoutDuration property.

Manual lockout

A user account can be manually locked to disable user login. The account can be locked and unlocked only for a period of time when it is needed. This is useful, for example, for an administrator’s account that is needed once in a while.

Manual lockout can be done either using Rebex Buru SFTP Server Web Administration or burusftp user update <username> --lock command:

# lock user indefinitely
burusftp user update <username> --lock

# lock user for 10 days 
burusftp user update <username> --lock 10d

# compound values can be used
burusftp user update <username> --lock "10d 5h 30m"

# lock user until specified date
burusftp user update <username> --lock 2050-12-31

# time can also be added
burusftp user update <username> --lock "2050-12-31 13:00"

Unlocking users

Users can be manually unlocked either using Rebex Buru SFTP Server Web Administration or using command line:

# unlock user
burusftp user update <username> --unlock

Notes

Account lockout (manual or via failed login counter) is shared between both Rebex Buru SFTP Server and Rebex Buru SFTP Server Web Administration.

See also configuration file manual and command line manpage.