Does anyone know if there is a way to have the users defined to access the stats page have a lockout period.
So it someone tries to access the site with wrong password it will lockout for a set period?
Any idea or work around to lock access after so many attempt for a set period ?
You can use ACL’s for protecting the stats page like with any other page.
Therefore if you come up with an ACL (perhaps based on stick-tables) that rate-limits, or “locks out” a praticular IP for a certain amount of time, then you can use that with your status page. (I’ve never done that, so I can’t provide the actual ACL.)
However I don’t think the status page is so critical, especially if you don’t enable stats admin
, because the worst it can happen is for an attacker to get a layout of your infrastructure and get a “statistic” of its usage.
I usually put the stats page at a randomly generated path (like an UUID), and use authentication for it. Now only those that know your config file can also know where the stats page is.
Doesnt anyone know if its possible to only allow users to only have admin login from a certain network range.
We currently have the stats page setup with 2 accounts and admin and a standard user, they only get access non readonly access if they user the admin user and password
You can use stats admin if <acl>
where <acl>
is the name of an ACL that checks if the source IP is from a certain range.
You can use your firewall and only accept your ip range for stats port if you running stats on another port. It’s working good for me.