Configuring User Login Restrictions
Overview
To effectively reduce security risks caused by user account leakage, you can enable or disable multifactor verification, set the account validity period, and configure login limit by time range, IP address, and MAC address.
- Multifactor verification: authenticates user login by SMS, OTP token, or USB key as well as password.
- Period of validity: determines the validity period of a user account for logging in to a bastion host.
- Login limit by time: allows or forbids a user account to log in to a bastion host at the specified duration.
- Login limit by IP address: allows or forbids only users from specified IP addresses to log in to a bastion host.
- Login limit by MAC address: allows or forbids only users with specified MAC addresses on a LAN to log in to a bastion host.
Constraints
- To use the Mobile OTP authentication, ensure that the system time and the mobile phone system time are synchronized, accurate to the seconds. Otherwise, the mobile OTP authentication will fail.
- The built-in SMS gateway has restrictions on the frequency and number of SMS messages that can be sent. To avoid these restrictions, use a third-party SMS gateway. For more details, see Configuring SMS Message Outgoing.
- MAC addresses belong to the data link layer and are used for LAN addressing. The parameter MAC Limit takes effect only on the LAN.
- If multifactor verification is configured for the admin user, the first time login will fail. Submit a service ticket for technical support to deselect all multifactor verification options.
Prerequisites
- You have the operation permissions for the User module.
- To enable Mobile OTP in multifactor verification, bind a mobile OTP to the user account in Profile. Otherwise, the user account cannot be used to log in to the system.
Procedure
- Log in to your bastion host.
- Choose User > User in the navigation pane.
- Click the login name of the user whose information you want to change, or click Manage in the row of the user in the Operation column.
- Click Edit in the User Setting area.
Table 1 User login limit parameters Parameter
Description
Multifactor Verification
Specifies the authentication methods for users to log in to the bastion host. The options are Mobile SMS, Mobile OTP, USBKey, and OTP token.
- By default, all options are deselected. If no options are selected, only the local password is used for identity authentication.
- Mobile SMS: Mobile SMS can be enabled in multifactor verification only after a mobile number is bound to the user account for receiving SMS messages.
- Mobile OTP: To make the mobile OTP authentication take effect, bind a mobile OTP to the user account in Profile first.
- USBKey: To make the USBKey multifactor verification take effect, relate the user account to an issued USB Key. For details, see Issuing a USB Key.
- OTP token: To make the OTP token authentication take effect, relate the user account to an OTP token. For details, see Issuing an OTP Token.
IAM Login
If you enable this, you can directly log in to the bastion host from IAM.
Period of validity
Specifies the validity period of the user account.
Logon Time Limit
Specifies the allowed or forbidden login time range. The time limit is set by the day and the hour.
Edit IP limit
Specifies the IP address or IP address range to be blacklisted or whitelisted.
- Blacklist: forbids all user logins from the specified IP address or IP address range.
- Whitelist: allows only user logins from the specified IP address or IP address range.
- Blacklist-Multifactor Verification for within the List: allows you to configure the IP address or IP address range for the blacklist. Users whose IP addresses or IP address ranges are in the blacklist are allowed to log in to the bastion host only when multifactor verification is configured for them.
- Blacklist-Multifactor Verification for beyond the List: allows you to configure the IP address or IP address range for the whitelist. Users whose IP addresses or IP address ranges are not in the whitelist are allowed to log in to the bastion host only when multifactor verification is configured for them.
- If no IP address is specified, there is no IP-based login limit.
MAC Limit
Specifies the MAC address or address range to be blacklisted or whitelisted.
- Blacklist: forbids all users from configured MAC addresses to log in to the bastion host.
- Whitelist: allows only users from configured MAC addresses to log in to the bastion host.
- If no MAC address is specified, there is no login limit by MAC address.
- Click OK. You can view the user login configurations on the user details page.
Batch Changing User Login Configurations
- Log in to your bastion host.
- In the navigation pane on the left, choose User > User to go to the user list page.
- Select the user accounts you want to edit and click More in the lower left corner.
- Edit or disable multifactor verification configuration for several users at a time.
- Click Edit multifactor.
Figure 1 Batch editing multifactor verification
- In the displayed Edit Multifactor Verification dialog box, select or deselect one or more multifactor verification methods.
- Click OK.
- Click Edit multifactor.
- Edit or disable period of validity for several users at a time.
- Click Edit validity period.
- In the displayed Edit period of validity dialog box, select Edit StartTime or Edit EndTime and specify the time. If you deselect the check box, the corresponding validity period configuration is disabled.
- Click OK.
- Edit login limit configurations for several users at a time.
- Click Edit time limit.
- In the displayed Edit time limit dialog box, select Allowed or Forbidden and specify time limit by the day and hour.
- Click OK.
- Edit or disable IP address login limit for several users at a time.
- Click Edit IP limit.
- In the displayed Edit IP limit dialog box, select Blacklist or Whitelist and enter or delete the IP address or address range.
- Click OK.
- Edit or disable the MAC login limit for several users at a time.
- Click Edit MAC limit.
- In the displayed Edit MAC limit dialog box, select Blacklist or Whitelist and enter or delete the MAC address.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.