Configuring User Login Restrictions

Overview

To effectively reduce security risks caused by user account leakage, you can enable or disable multifactor verification, set the account validity period, and configure login limit by time range, IP address, and MAC address.

Multifactor verification: authenticates user login by SMS, OTP token, or USB key as well as password.
Period of validity: determines the validity period of a user account for logging in to a bastion host.
Login limit by time: allows or forbids a user account to log in to a bastion host at the specified duration.
Login limit by IP address: allows or forbids only users from specified IP addresses to log in to a bastion host.
Login limit by MAC address: allows or forbids only users with specified MAC addresses on a LAN to log in to a bastion host.

Constraints

To use the Mobile OTP authentication, ensure that the system time and the mobile phone system time are synchronized, accurate to the seconds. Otherwise, the mobile OTP authentication will fail.
The built-in SMS gateway has restrictions on the frequency and number of SMS messages that can be sent. To avoid these restrictions, use a third-party SMS gateway. For more details, see Configuring SMS Message Outgoing.
MAC addresses belong to the data link layer and are used for LAN addressing. The parameter MAC Limit takes effect only on the LAN.
If multifactor verification is configured for the admin user, the first time login will fail. Submit a service ticket for technical support to deselect all multifactor verification options.

Prerequisites

You have the operation permissions for the User module.
To enable Mobile OTP in multifactor verification, bind a mobile OTP to the user account in Profile. Otherwise, the user account cannot be used to log in to the system.

Configuring Login Restrictions for a User

Log in to your bastion host.
Choose User >User. The user list page is displayed. You can query a user using the quick search or advanced search function.
- Quick search: Enter a keyword in the search box and search for a user by login name or username.
- Advanced search: Click Advanced next to text box and enter keywords in the corresponding attribute search boxes to search for users.
Click the login name of the user whose information you want to change, or click Manage in the row of the user in the Operation column.

Click Edit in the User Setting area.

**Table 1** User login limit parameters
Parameter	Description
Multifactor Verification	Specifies the authentication methods for users to log in to the bastion host. The options are Mobile SMS, Mobile OTP, USBKey, and OTP token. By default, all options are deselected. If no options are selected, only the local password is used for identity authentication. Mobile SMS: Mobile SMS can be enabled in multifactor verification only after a mobile number is bound to the user account for receiving SMS messages. Mobile OTP: To make the mobile OTP authentication take effect, bind a mobile OTP to the user account in Profile first. USBKey: To make the USBKey multifactor verification take effect, relate the user account to an issued USB Key. For details, see Issuing a USB Key. OTP token: To make the OTP token authentication take effect, relate the user account to an OTP token. For details, see Issuing an OTP Token.
IAM Login	If you enable this, you can directly log in to the bastion host from IAM.
Period of validity	Specifies the validity period of the user account.
Logon Time Limit	Specifies the allowed or forbidden login time range. The time limit is set by the day and the hour.
Edit IP limit	Specifies the IP address or IP address range to be blacklisted or whitelisted. Blacklist: forbids all user logins from the specified IP address or IP address range. Whitelist: allows only user logins from the specified IP address or IP address range. Blacklist-Multifactor Verification for within the List: allows you to configure the IP address or IP address range for the blacklist. Users whose IP addresses or IP address ranges are in the blacklist are allowed to log in to the bastion host only when multifactor verification is configured for them. Blacklist-Multifactor Verification for beyond the List: allows you to configure the IP address or IP address range for the whitelist. Users whose IP addresses or IP address ranges are not in the whitelist are allowed to log in to the bastion host only when multifactor verification is configured for them. If no IP address is specified, there is no IP-based login limit.
MAC Limit	Specifies the MAC address or address range to be blacklisted or whitelisted. Blacklist: forbids all users from configured MAC addresses to log in to the bastion host. Whitelist: allows only users from configured MAC addresses to log in to the bastion host. If no MAC address is specified, there is no login limit by MAC address.

Click OK. You can view the user login configurations on the user details page.

Configuring Login Restrictions for a Batch of Users

Log in to your bastion host.
Choose User >User. The user list page is displayed. You can query a user using the quick search or advanced search function.
- Quick search: Enter a keyword in the search box and search for a user by login name or username.
- Advanced search: Click Advanced next to text box and enter keywords in the corresponding attribute search boxes to search for users.
Select the target login user accounts.
- Edit multifactor verification.
  1. In the lower left corner, choose More > Edit multifactor. In the dialog box displayed, select the verification methods as needed for the target user.
    - You can select multiple different verification methods.
    - You can also select Modify All to edit the multifactor verification settings for all users in the current department and its subordinate department.
  2. Confirm the information and click OK.
- Edit the validity period.
  1. In the lower left corner, choose More > Edit validity period. In the dialog box displayed, select the start and end time for the target user.
    - After the setting, the target account can log in to the bastion host only within the valid period.
    - You can set either the start time, or the end time, or both.
  2. Confirm the information and click OK.
- Edit the login time limit.
  1. In the lower left corner, choose More > Edit time limit. In the dialog box displayed, select the login period.
    - Select the time when the target user can log in to the system by the hour.
    - You can select Permit or Forbid, and then set the time duration.
  2. Confirm the information and click OK.
- Edit IP address login limit.
  1. In the lower left corner, choose More > Edit IP limit. In the dialog box displayed, select the login IP address restriction type.
    You can select:
    - Blacklist: The entered addresses are not allowed to log in to the system.
    - Whitelist: Only entered addresses are allowed to log in to the system.
    - Blacklist-Multifactor Verification for within the list: Users from the specified IP address or IP address range can log in to the system through multifactor verification only.
    - Whitelist-Multifactor Verification for beyond the list: Users not from the specified IP address or IP address ranges can log in to the system through multifactor verification only.
  2. Enter IP addresses in the text box.
    Enter multiple addresses with line breaks. Ensure that each line contains only one address or address range. The subnet mask is supported, for example, you can enter 192.168.1.10-192.168.1.100 or 192.168.1.10/24.
  3. Confirm the information and click OK.
- Edit the MAC address limit.
  1. In the lower left corner, choose More > Edit MAC limit. In the dialog box displayed, select the login MAC address restriction type.
    Select Blacklist or Whitelist.
  2. Enter MAC addresses in the text box.
    If there are multiple addresses, enter them in different lines. Make sure each line contains only one address.
  3. Confirm the information and click OK.