Powered by Redocly

Intrusion Detection

Settings for IP-based intrusion detection. When repeated failed authentication attempts are detected from the same source IP address within the configured failure-window, a failed-userpass-attempts, failed-jwt-attempts, or failed-token-attempts alert is issued to the system:alerts topic.

Update the intrusion detection

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
enabled
boolean
Default: true

Enable IP-based intrusion detection alerts. When set to false, no intrusion detection alerts will be issued.

failure-window
string <duration>
Default: "5m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Time window over which failed authentication attempts are counted per source IP address. Attempts outside this window are not counted.

alert-threshold
integer <uint32>
Default: 10

Number of failed authentication attempts from the same source IP address within failure-window before a failed-userpass-attempts, failed-jwt-attempts, or failed-token-attempts alert is issued. Note: each host tracks independently, so in a multi-host cluster the effective cluster-wide threshold is approximately this value multiplied by the number of hosts.

rate-limit-enabled
boolean
Default: false

Enable per-IP-address rate limiting at the HTTP layer. When set to true, requests exceeding rate-limit-threshold per failure-window from a single source IP address are rejected with HTTP 429.

rate-limit-threshold
integer <uint16>
Default: 30

Maximum number of requests allowed per source IP address within failure-window before returning HTTP 429. Only effective when rate-limit-enabled is true.

Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/authentication/intrusion-detection
Request samples 
enabled: true
failure-window: 5m
alert-threshold: 10
rate-limit-enabled: false
rate-limit-threshold: 30

Delete the intrusion detection

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/authentication/intrusion-detection

Replace or create the intrusion detection

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
enabled
boolean
Default: true

Enable IP-based intrusion detection alerts. When set to false, no intrusion detection alerts will be issued.

failure-window
string <duration>
Default: "5m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Time window over which failed authentication attempts are counted per source IP address. Attempts outside this window are not counted.

alert-threshold
integer <uint32>
Default: 10

Number of failed authentication attempts from the same source IP address within failure-window before a failed-userpass-attempts, failed-jwt-attempts, or failed-token-attempts alert is issued. Note: each host tracks independently, so in a multi-host cluster the effective cluster-wide threshold is approximately this value multiplied by the number of hosts.

rate-limit-enabled
boolean
Default: false

Enable per-IP-address rate limiting at the HTTP layer. When set to true, requests exceeding rate-limit-threshold per failure-window from a single source IP address are rejected with HTTP 429.

rate-limit-threshold
integer <uint16>
Default: 30

Maximum number of requests allowed per source IP address within failure-window before returning HTTP 429. Only effective when rate-limit-enabled is true.

Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/authentication/intrusion-detection
Request samples 
enabled: true
failure-window: 5m
alert-threshold: 10
rate-limit-enabled: false
rate-limit-threshold: 30

Retrieve the configuration of intrusion detection

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
200

OK

304

Not Modified

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/intrusion-detection
Response samples 
enabled: true
failure-window: 5m
alert-threshold: 10
rate-limit-enabled: false
rate-limit-threshold: 30

Retrieve the the state of intrusion detection

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/authentication/intrusion-detection
Response samples 
enabled: true
failure-window: 5m
alert-threshold: 10
rate-limit-enabled: false
rate-limit-threshold: 30
status:
  total-alerts-generated: 3
  tracked-ip-address-count: 1
  tracked-ip-addresses:
    - ip: 198.51.100.42
      alert-type: failed-userpass-attempts
      failure-count: 7
➔ Next to JWT Authentication