diff options
Diffstat (limited to 'docs/bruteforce-protection.markdown')
-rw-r--r-- | docs/bruteforce-protection.markdown | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/docs/bruteforce-protection.markdown b/docs/bruteforce-protection.markdown new file mode 100644 index 00000000..633cfe87 --- /dev/null +++ b/docs/bruteforce-protection.markdown @@ -0,0 +1,26 @@ +Bruteforce Protection +===================== + +The brute force protection of Kanboard works at the user account level: + +- After 3 authentication failure for the same username, the login form show a captcha image to prevent automated bot tentatives. +- After 6 authentication failure, the user account is locked down for a period of 15 minutes. + +This feature works only for authentication methods that use the login form. + +However, **after 3 authentication failure through the user API**, the account have to be unlocked by using the login form. + +Kanboard doesn't block any IP addresses since bots can use several anonymous proxies. However, you can use external tools like [fail2ban](http://www.fail2ban.org) to avoid massive scans. + +Default settings can be changed with these configuration variables: + +```php +// Enable captcha after 3 authentication failure +define('BRUTEFORCE_CAPTCHA', 3); + +// Lock the account after 6 authentication failure +define('BRUTEFORCE_LOCKDOWN', 6); + +// Lock account duration in minute +define('BRUTEFORCE_LOCKDOWN_DURATION', 15); +``` |