wekan/docs/Security/brute-force-protection.md

# Brute Force Protection in WeKan

WeKan includes a robust brute force login protection system that helps prevent unauthorized access attempts by temporarily locking accounts after multiple failed login attempts.

## Features

- **Configurable Settings**: Administrators can configure lockout settings directly in the Admin Panel
- **Different Rules for Known and Unknown Users**: Separate settings for registered users and unknown login attempts
- **Visual Indicators**: Red lock icons identify locked users in the interface
- **Unlock Capabilities**: Admins can unlock individual users or all locked users at once

## Administration

### Accessing Brute Force Protection Settings

1. Navigate to **Admin Panel** > **People** > **Locked Users**
2. Here you can view and modify all brute force protection settings

### Settings Available

#### Known Users (Registered Users)
- **Failures Before Lockout**: Number of failed attempts before an account is locked (default: 3)
- **Lockout Period**: Duration in seconds that an account remains locked (default: 60)
- **Failure Window**: Time window in seconds during which failed attempts are counted (default: 15)

#### Unknown Users (Non-existent Usernames)
- **Failures Before Lockout**: Number of failed attempts before the IP is blocked (default: 3)
- **Lockout Period**: Duration in seconds that an IP remains blocked (default: 60)
- **Failure Window**: Time window in seconds during which failed attempts are counted (default: 15)

### Managing Locked Users

The **Locked Users** tab in the Admin Panel shows all currently locked users with:
- Username
- Email address
- Number of failed attempts
- Remaining lock time

#### Unlocking Users

There are two ways to unlock users:

1. **Individual Unlock**: Click the red lock icon next to a specific user to unlock them
2. **Unlock All**: Click the "Unlock All" button to unlock all currently locked users at once

### User Filtering

In the **People** section of the Admin Panel, you can filter users by lock status:

1. Use the dropdown menu to select "Locked Users Only"
2. This will show only users who are currently locked out due to failed login attempts

## Security Recommendations

- Use the default settings as a starting point and adjust based on your security requirements
- Consider increasing the lockout period for high-security environments
- Regularly check the locked users list to identify potential attack patterns
Feature: Added brute force login protection settings to Admin Panel/People/Locked Users. Part 2. Thanks to xet7 ! 2025-08-08 12:36:17 +03:00			`# Brute Force Protection in WeKan`

			`WeKan includes a robust brute force login protection system that helps prevent unauthorized access attempts by temporarily locking accounts after multiple failed login attempts.`

			`## Features`

			`- Configurable Settings: Administrators can configure lockout settings directly in the Admin Panel`
			`- Different Rules for Known and Unknown Users: Separate settings for registered users and unknown login attempts`
			`- Visual Indicators: Red lock icons identify locked users in the interface`
			`- Unlock Capabilities: Admins can unlock individual users or all locked users at once`

			`## Administration`

			`### Accessing Brute Force Protection Settings`

			`1. Navigate to Admin Panel > People > Locked Users`
			`2. Here you can view and modify all brute force protection settings`

			`### Settings Available`

			`#### Known Users (Registered Users)`
			`- Failures Before Lockout: Number of failed attempts before an account is locked (default: 3)`
			`- Lockout Period: Duration in seconds that an account remains locked (default: 60)`
			`- Failure Window: Time window in seconds during which failed attempts are counted (default: 15)`

			`#### Unknown Users (Non-existent Usernames)`
			`- Failures Before Lockout: Number of failed attempts before the IP is blocked (default: 3)`
			`- Lockout Period: Duration in seconds that an IP remains blocked (default: 60)`
			`- Failure Window: Time window in seconds during which failed attempts are counted (default: 15)`

			`### Managing Locked Users`

			`The Locked Users tab in the Admin Panel shows all currently locked users with:`
			`- Username`
			`- Email address`
			`- Number of failed attempts`
			`- Remaining lock time`

			`#### Unlocking Users`

			`There are two ways to unlock users:`

			`1. Individual Unlock: Click the red lock icon next to a specific user to unlock them`
			`2. Unlock All: Click the "Unlock All" button to unlock all currently locked users at once`

			`### User Filtering`

			`In the People section of the Admin Panel, you can filter users by lock status:`

			`1. Use the dropdown menu to select "Locked Users Only"`
			`2. This will show only users who are currently locked out due to failed login attempts`

			`## Security Recommendations`

			`- Use the default settings as a starting point and adjust based on your security requirements`
			`- Consider increasing the lockout period for high-security environments`
			`- Regularly check the locked users list to identify potential attack patterns`