docker/local-testing/login-protection/README.md
This folder contains a Docker Compose setup for testing the Login Protection (brute-force protection) feature locally.
From the repository root:
cd docker/local-testing/login-protection
docker compose build
docker compose up -d
This starts:
First time setup:
docker exec -it warpgate-login-protection warpgate setup
Or run with admin token enabled:
docker exec -it warpgate-login-protection warpgate run --enable-admin-token
Open https://localhost:8888 and login with the admin credentials you set during setup.
The data/warpgate.yaml uses aggressive settings for easier testing:
| Setting | Value | Description |
|---|---|---|
ip_rate_limit.max_attempts | 3 | Block IP after 3 failed attempts |
ip_rate_limit.time_window_minutes | 5 | Count attempts within 5 minutes |
ip_rate_limit.base_block_duration_minutes | 1 | First block: 1 minute |
ip_rate_limit.block_duration_multiplier | 2.0 | Each block doubles |
user_lockout.max_attempts | 5 | Lock user after 5 failed attempts |
user_lockout.auto_unlock | true | Auto-unlock enabled |
user_lockout.lockout_duration_minutes | 2 | Auto-unlock after 2 minutes |
./scripts/test-ip-blocking.sh
This makes 4 failed login attempts. After the 3rd attempt, your IP gets blocked.
./scripts/test-user-lockout.sh
This makes 6 failed login attempts for a user. After the 5th attempt, the user gets locked.
Get security status:
curl -k https://localhost:8888/@warpgate/admin/api/login-protection/status \
-H "Authorization: Bearer <admin-token>"
List blocked IPs:
curl -k https://localhost:8888/@warpgate/admin/api/login-protection/blocked-ips \
-H "Authorization: Bearer <admin-token>"
Unblock an IP:
curl -k -X DELETE https://localhost:8888/@warpgate/admin/api/login-protection/blocked-ips/127.0.0.1 \
-H "Authorization: Bearer <admin-token>"
List locked users:
curl -k https://localhost:8888/@warpgate/admin/api/login-protection/locked-users \
-H "Authorization: Bearer <admin-token>"
Unlock a user:
curl -k -X DELETE https://localhost:8888/@warpgate/admin/api/login-protection/locked-users/admin \
-H "Authorization: Bearer <admin-token>"
Test SSH brute-force protection:
# Make failed SSH attempts (uses password auth)
for i in {1..4}; do
sshpass -p "wrongpassword" ssh -o StrictHostKeyChecking=no -p 2222 testuser@localhost echo "test"
done
# Failed MySQL attempts
for i in {1..4}; do
mysql -h 127.0.0.1 -P 33306 -u testuser -pwrongpassword 2>/dev/null
done
docker logs -f warpgate-login-protection
Look for log entries like:
IP blocked ip=X.X.X.X block_count=1 duration_minutes=1User locked username=adminLogin attempt from blocked IPdocker compose down -v
Wait for the block to expire (1 minute with test config), or use admin API to unblock:
curl -k -X DELETE https://localhost:8888/@warpgate/admin/api/login-protection/blocked-ips/::1 \
-H "Authorization: Bearer <token>"
The exponential backoff increases block duration. Reset by:
docker compose restart warpgaterm -rf data/db && docker compose restart warpgateRun warpgate with --enable-admin-token flag, then check the logs for the token.