User Login Lockout for Security Compliance
To help reduce the risk of a brute force attacks on Redis Enterprise Software (RS), RS includes user login restrictions. You can customize the restrictions to align with the security policy of your organization. Every failed login is shown in the logs.
User login lockout
The parameters for the user login lockout are:
- Login Lockout Threshold - The number of failed login attempts allowed before the user account is locked. (Default: 5)
- Login Lockout Counter Reset - The amount of time during which failed login attempts are counted. (Default: 15 minutes)
- Login Lockout Duration - The amount of time that the user account is locked after excessive failed login attempts. (Default: 30 minutes)
By default, after 5 failed login attempts within 15 minutes, the user account is locked for 30 minutes.
You can view the user login restrictions for your cluster with:
rladmin info cluster | grep login_lockout
Customizing the user lockout parameters
You can customize the user lockout parameters with from rladmin.
Changing the login lockout threshold
You can set the login lockout threshold with the command:
rladmin tune cluster login_lockout_threshold <login_lockout_threshold>
If you set the lockout threshold to
the account is not locked out after failed login attempts, and the cluster settings show:
For example, to set the lockout threshold to 10 failed login attempts.
rladmin tune cluster login_lockout_threshold 10
Changing the login lockout counter reset
You can set the login lockout reset in seconds with the command:
rladmin tune cluster login_lockout_counter_reset_after <login_lockout_counter_reset_after>
For example, to set the lockout reset to 1 hour:
rladmin tune cluster login_lockout_counter_reset_after 3600
Changing the login lockout duration
You can set the login lockout duration in seconds with the command:
rladmin tune cluster login_lockout_duration <login_lockout_duration>
If you set the lockout duration to
the account must be manually unlocked by an administrator, and the cluster settings show:
For example, to set the lockout duration to 1 hour:
rladmin tune cluster login_lockout_duration 3600
Unlocking locked user accounts
Before the lockout duration ends, an administrator can change the user password in order to manually unlock the user account.
To reset a user password from the CLI, run:
rladmin cluster reset_password <username>
You are asked to enter and confirm the new password.