[Solved]Manually override a lockout

Post Reply
luis84
OpenVPN User
Posts: 29
Joined: Tue Nov 15, 2011 11:31 pm

[Solved]Manually override a lockout

Post by luis84 » Tue Nov 06, 2012 4:30 am

Hi all,

I have a lockout policy on my personal VPN server. It is paid openvpn access server with 10 licenses.

The lockout policy is 15 minutes after 3 failed attempts. I want that due to security, however, sometimes I want to be able to override a lockout, IE my sister messes up and doesn't want to wait 15 minutes.

I couldn't find anything in the admin guide. Is there an easy way to do this via SSH or web UI ?

bowser8302
OpenVpn Newbie
Posts: 1
Joined: Thu Jan 16, 2014 6:16 pm

Re: Manually override a lockout

Post by bowser8302 » Thu Jan 16, 2014 6:24 pm

The easiest method I've found is to toggle the User Authentication method in the admin web portal.

1. Log into the webportal at "https://[your-url-or-ip]:943/admin"

2. Click on "General" under the "Authentication" section.

3. Change the authentication method.

Note: It doesn't matter what you change the authentication method to, just that you change the method. For example, I use an LDAP server. So I'll change the method to "Local".

4. Click "Save Settings", then click "Update Running Server".

5. Now immediately change the authentication method back to it's original setting.

6. Click "Save Settings", then click "Update Running Server".

At this point, all lockouts are now reset and previously locked out users can attempt to log in. In my experience, this trick does NOT affect currently logged in users. It will, however, affect anyone who tries to log in while you're performing this toggle. But seeing as how this toggle takes all of 10 seconds, I've never experienced someone trying to log in while I was performing this reset.

opg1987
OpenVpn Newbie
Posts: 6
Joined: Wed Jun 11, 2014 9:50 am

Re: Manually override a lockout

Post by opg1987 » Tue Mar 24, 2015 11:02 am

bowser8302's method worked for me.

Thanks.

luckman212
OpenVPN User
Posts: 30
Joined: Fri Jun 10, 2011 12:03 am

Re: [Solved]Manually override a lockout

Post by luckman212 » Sun Jan 24, 2016 3:46 am

How do you set/adjust or disable the lockout policy? I have set up some servers where users are *constantly* fat-fingering their passwords and getting locked out. This is causing a big administrative headache for me especially since there's no easy way to unlock them from the admin GUI. I'd like to increase the lockout to like 20 failed attempts or something just to prevent bruteforce attacks but not the occasional clueless user who sits there and types the same incorrect password with their CAPS LOCK down 10 times in a row.

Help?

edit: nevermind, I found it (but these settings should be exposed in the GUI somewhere IMO...) See link below
https://docs.openvpn.net/docs/access-se ... out-policy

luckman212
OpenVPN User
Posts: 30
Joined: Fri Jun 10, 2011 12:03 am

Re: [Solved]Manually override a lockout

Post by luckman212 » Fri Jan 29, 2016 2:42 pm

Just double checking, can someone confirm if this is the right way to adjust these parameters? It was vague from the documentation

example, increase allowed # of attempts to 10 and make lockout period 5 minutes (300 seconds)

Code: Select all

cd /usr/local/openvpn_as/scripts
./sacli -k vpn.server.lockout_policy.n_fails -v 10 ConfigPut
./sacli -k vpn.server.lockout_policy.reset_time -v 300 ConfigPut
./sacli start
Is this right? Do I have to reboot the ovpn server afterwards?

Post Reply