Hi all,
I have a lockout policy on my personal VPN server. It is paid openvpn access server with 10 licenses.
The lockout policy is 15 minutes after 3 failed attempts. I want that due to security, however, sometimes I want to be able to override a lockout, IE my sister messes up and doesn't want to wait 15 minutes.
I couldn't find anything in the admin guide. Is there an easy way to do this via SSH or web UI ?
[Solved]Manually override a lockout
-
- OpenVPN User
- Posts: 29
- Joined: Tue Nov 15, 2011 11:31 pm
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Jan 16, 2014 6:16 pm
Re: Manually override a lockout
The easiest method I've found is to toggle the User Authentication method in the admin web portal.
1. Log into the webportal at "https://[your-url-or-ip]:943/admin"
2. Click on "General" under the "Authentication" section.
3. Change the authentication method.
Note: It doesn't matter what you change the authentication method to, just that you change the method. For example, I use an LDAP server. So I'll change the method to "Local".
4. Click "Save Settings", then click "Update Running Server".
5. Now immediately change the authentication method back to it's original setting.
6. Click "Save Settings", then click "Update Running Server".
At this point, all lockouts are now reset and previously locked out users can attempt to log in. In my experience, this trick does NOT affect currently logged in users. It will, however, affect anyone who tries to log in while you're performing this toggle. But seeing as how this toggle takes all of 10 seconds, I've never experienced someone trying to log in while I was performing this reset.
1. Log into the webportal at "https://[your-url-or-ip]:943/admin"
2. Click on "General" under the "Authentication" section.
3. Change the authentication method.
Note: It doesn't matter what you change the authentication method to, just that you change the method. For example, I use an LDAP server. So I'll change the method to "Local".
4. Click "Save Settings", then click "Update Running Server".
5. Now immediately change the authentication method back to it's original setting.
6. Click "Save Settings", then click "Update Running Server".
At this point, all lockouts are now reset and previously locked out users can attempt to log in. In my experience, this trick does NOT affect currently logged in users. It will, however, affect anyone who tries to log in while you're performing this toggle. But seeing as how this toggle takes all of 10 seconds, I've never experienced someone trying to log in while I was performing this reset.
-
- OpenVpn Newbie
- Posts: 6
- Joined: Wed Jun 11, 2014 9:50 am
Re: Manually override a lockout
bowser8302's method worked for me.
Thanks.
Thanks.
-
- OpenVPN User
- Posts: 46
- Joined: Fri Jun 10, 2011 12:03 am
Re: [Solved]Manually override a lockout
How do you set/adjust or disable the lockout policy? I have set up some servers where users are *constantly* fat-fingering their passwords and getting locked out. This is causing a big administrative headache for me especially since there's no easy way to unlock them from the admin GUI. I'd like to increase the lockout to like 20 failed attempts or something just to prevent bruteforce attacks but not the occasional clueless user who sits there and types the same incorrect password with their CAPS LOCK down 10 times in a row.
Help?
edit: nevermind, I found it (but these settings should be exposed in the GUI somewhere IMO...) See link below
https://docs.openvpn.net/docs/access-se ... out-policy
Help?
edit: nevermind, I found it (but these settings should be exposed in the GUI somewhere IMO...) See link below
https://docs.openvpn.net/docs/access-se ... out-policy
-
- OpenVPN User
- Posts: 46
- Joined: Fri Jun 10, 2011 12:03 am
Re: [Solved]Manually override a lockout
Just double checking, can someone confirm if this is the right way to adjust these parameters? It was vague from the documentation
example, increase allowed # of attempts to 10 and make lockout period 5 minutes (300 seconds)
Is this right? Do I have to reboot the ovpn server afterwards?
example, increase allowed # of attempts to 10 and make lockout period 5 minutes (300 seconds)
Code: Select all
cd /usr/local/openvpn_as/scripts
./sacli -k vpn.server.lockout_policy.n_fails -v 10 ConfigPut
./sacli -k vpn.server.lockout_policy.reset_time -v 300 ConfigPut
./sacli start