Account lockout protects passwords against brute-force attacks by locking a user account after too many failed login attempts. An account can also be locked manually — either indefinitely or for a specified duration.

Account lockout is shared between Buru SFTP Server and its Web Administration: a lock applied through either one affects both.

Failed login threshold

After a configurable number of consecutive failed logins, the account is locked for a set period. The counter resets on the next successful login or after a reset period elapses.

The policy is configured in the security.accountLockoutPolicy section of config.yaml:

• threshold — failed attempts that trigger a lock (default 10; set to 0 to disable automatic lockout).
• lockoutDurationSeconds — how long the account stays locked (default 900, i.e. 15 minutes).
• resetCounterPeriodSeconds — time after the last failed attempt before the counter resets (defaults to lockoutDurationSeconds; must be equal to or greater than it).

Manual lockout

An administrator can lock an account directly, bypassing the failed-login counter. A manual lock can be open-ended or bounded by a duration or an absolute date.

Accounts are locked and unlocked from Web Administration or via the burusftp user update command — see Inspect, lock, and delete users for the CLI procedure.