docs/content/configuration/security/regulation.md
Authelia can temporarily ban accounts when there are too many authentication attempts on the username / password endpoint. This helps prevent brute-force attacks.
{{< config-alert-example >}}
regulation:
modes:
- 'user'
- 'ip'
max_retries: 3
find_time: '2m'
ban_time: '5m'
This section describes the individual configuration options.
{{< confkey type="list(string)" default="['user']" required="no" >}}
The modes for regulation. The table below describes each option. The recommended mode is ip. It should be noted that,
regardless of the currently configured ban modes, if bans exist in the database, the user or IP will be denied access.
See the authelia storage bans command for information on
managing ban entries.
| Mode | Description |
|---|---|
| user | The user account is the subject of any automatic bans |
| ip | The remote ip is the subject of any automatic bans |
{{< confkey type="integer" default="3" required="no" >}}
The number of failed login attempts before a user may be banned. Setting this option to 0 disables regulation entirely.
{{< confkey type="string,integer" syntax="duration" default="2 minutes" required="no" >}}
The period of time analyzed for failed attempts. For
example if you set max_retries to 3 and find_time to 2m this means the user must have 3 failed logins in
2 minutes.
{{< confkey type="string,integer" syntax="duration" default="5 minutes" required="no" >}}
The period of time the user is banned for after meeting the max_retries and find_time configuration. After this
duration the account will be able to login again.