Port Lockout

Port lockout protects against brute-force attacks by temporarily locking the login port after a configurable number of unsuccessful login attempts are made. Port lockout is supported only on the RealPresence Group Series system web interface, and only Admin users are allowed to log in to the system web interface. If external authentication is not in use, users can successfully log in to the system web interface only by using the local Admin account credentials. However, when external authentication is in use, any number of external accounts can be considered to be Admin users on the system. Failed logins to any of these accounts, or to an unknown account, are all counted against the configured number allowed failed login attempts to the system web interface.

The following is an example of how the port lockout feature works.

A system web interface is configured with these settings:
  • Admin Settings > Security > Global Security > Authentication > Enable Active Directory External Authentication is enabled, a valid Active Directory Server Address is configured, as are both the Active Directory Admin Group and Active Directory User Group settings.

  • Admin Settings > Security > Global Security > Access > Enable Legacy API Over SSH, Lock SSH Port after Failed Logins is set to 3, SSH Port Lock Duration is set to 1 Minute, and Reset SSH Port Lock Counter After is set to 1 Hour.

  • Admin Settings > Security > Global Security > Access > Lock Port after Failed Logins is set to 4.

Scenario 1: Web interface locked due to excessive failed logins

A user fails to log in to the local Admin account two times on the system web interface, and another user fails to log in to the external Active Directory ‘SuperUser' account in a separate system web interface session. The ‘SuperUser' account is defined as part of the Active Directory Admin Group on the Active Directory Server.

This means that three failed attempts have been made on the system web interface port—two by one user and one by a second user. If the next attempt to log in to the system web interface by either user or some other user is successful, the failed login counter for the system web interface port is reset to zero, allowing 4 more failed attempts to occur on the system web interface.

On the other hand, if after the third failed login attempt, any user makes a fourth unsuccessful attempt to any account on the system web interface, further attempts to access the system web interface using any account credentials from any user are locked out for 1 Minute, the value of the SSH Port Lock Duration period. After the 1 Minute port lock period has past, logins will once again be allowed. As this example illustrates, the failed login attempts made to the system web interface accumulate across any attempts to any account and/or by any user.

Scenario 2: Failed attempts counter resets after failed login window closes

A user fails to log in to the local Admin account two times on the system web interface, and another user fails to log in to the external Active Directory ‘SuperUser' account in a separate system web interface session. The ‘SuperUser' account is defined as part of the Active Directory Admin Group on the Active Directory Server.

This means that three failed attempts have been made on the system web interface port—two by one user and one by a second user. If no more failed attempts are made within 1 Hour of the first failed attempt (which is the value of the Reset SSH Port Lock Counter After setting), the failed login attempts counter is reset to zero, and 4 failed attempts are allowed again before the system web interface is locked.