user_filter

Name

user_filter — Service plugin for application of user login limits

This plugin implements two core ideas (each independently configurable):

A mechanism for banning user identities for a set time window. When a user repeatedly fails to successfully authenticate, the http(8gx), imap(8gx), pop3(8gx) daemons can add the user to this list and set a time during which all authentication requests for the user are rejected. This is a bit like fail2ban, but operates on usernames rather than hosts/IP addresses.
A mechanism for rate-limiting authentication attempts. Whenever a user tries to authenticate, the daemons convey the occurrence to the user_filter plugin, and the plugin ensures that only a given amount of attempts can be made per time quantum, per user. This is a bit like iptables -m (hash)limit.

userfilter_icase: Treat usernames as case-insensitive within the user_filter plugin.

Default: true
userfilter_maxbans: Controls how much memory the banlist mechanism of user_filter is allowed to use at most, by limiting the number of unique usernames recorded. The list replacement policy is none (so, slightly different from MRU). The value 0 therefore deactivates user_filter's banlist mechanism.

Default: 1000
userfilter_maxusers: Controls how much memory the rate-limiting mechanism of user_filter is allowed to use at most, by limiting the number of unique usernames. The list replacement policy is none. The value 0 therefore deactivates user_filter's rate-limiting mechanism.

Default: 0
userfilter_rl_maxtries: Rate-limit all authentication calls to rl_maxtries per rl_window. Note that there can be a lot of requests, particularly over MAPI/HTTP since every single HTTP request counts as one attempt. (Opening a message with MFCMAPI already incurs 4 HTTP requests. The Windows EMSMDB connector is anything but efficient.)

Default: 10
userfilter_rl_window: Rate-limit all authentication attempts to rl_maxtries per rl_window.

Default: 1minute