User Lockout

CloverETL can lock a user access after a set number of unsuccessful login attempts as a way of protecting against brute force attacks on users' credentials.

The lockout occurs only in CloverETL. For example, it will not affect LDAP in the case of LDAP user authentication. By default, the feature is disabled.

Information regarding user lockout is stored in the USER_ACTION server log. Notifications can be sent via email; however, it is necessary to set up a connection to an SMTP server in the E-mail tab of the Setup GUI.

The feature has several parameters which can be set by modifying the following lines in the configuration file; either directly or in the Configuration File tab of the Setup GUI:

security.lockout.login.attempts

Limits the number of login attempts of the user. The next failed login attempt will lock the user's access.

When setting the value, keep in mind that CloverETL Designer with several server projects can attempt to log in multiple times.

The recommended value is 50. Change the value to 0 to disable the feature.

security.lockout.reset.period

Represents the period (in seconds) during which failed login attempts are counted. If no such attempt occurs during this period, the counter of failed login attempts is reset to 0. This way, the user does not have to worry about accidentally locking himself out of the system after a certain number of failed login attempts over an extended period of time.

The default value is 60 (1 minute). Change the value to 0 to set the period to infinity.

security.lockout.unlock.period

Represents the period (in seconds) after which a successful login attempt will unlock the previously locked user. After this period, the user is able to login using his credentials again without the need to have his account unlocked by the administrator.

The parameter protects the system against denial of service (DoS) attacks and should be set to a reasonable value so you are not locked out of the system for too long in case the administrator's account is affected by the attack.

The default value is 300 (5 minutes). Change the value to 0 to set the period to infinity.

security.lockout.notification.email

The parameter represents a comma separated list of emails of persons who should be notified when a user lockout occurs.

Note that the locked out user receives the notification email automatically (if the server's SMTP is configured and they have provided their email address). This parameter should therefore be set, for example, to an administrators' mail group so they are aware of the situation.

The recommended, default values are set in such a way as to efficiently protect the system against brute force attacks, prevent complete lockout of the administrator access and not limit users in standard usage of CloverETL Server.

The properties can be set in the following section of the properties file:

## Uncomment lines bellow to enable user lockout after number of failed logins
## Number of failed login attempts after which a next failed login attempt will lock the user
## 0 means feature is switched off
## default suggested value is 50 
#security.lockout.login.attempts=50
## Periods are specified in seconds
## Period of time during which the failed login attempts are counted
## Default is 60s (1 min)
#security.lockout.reset.period=60
## Period of time after which a successful login attempt will unlock previously locked user
## Default is 300s (5 min)
#security.lockout.unlock.period=300
## Comma separated list of emails which will be notified when user is locked out. 
#security.lockout.notification.email=

Unlocking User

Once the user's access is locked, you can see the status in the Users tab of the Configuration section.

Locked User

Figure 20.8. Locked User


To unlock the user, click on the (...) button in the respective row of the Action column and choose Unlock.

Unlocking User

Figure 20.9. Unlocking User


Once you click the Unlock button, you will be prompted to confirm the action.

Click Yes to unlock the user.