To ensure system security, you can configure user logon settings, account lockout policies, and user status settings. You can configure user logon settings to allow users to use only key pairs for authentication when they log on to a bastion host in SSH mode. You can configure account lockout policies to protect your resources against brute-force attacks. You can also configure the parameters in the User Status Settings section to specify the validity period of passwords and mark accounts that are not used to log on to the system for a long period of time as Inactive.
Procedure
Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, click System Settings.
On the User Settings tab, configure the parameters. The following table describes the parameters.
Parameter
Description
User Logon Settings
Disable Password-based SSH Logon
After you turn on Disable Password-based SSH Logon, users can use only key pairs for authentication when they log on to the bastion host in SSH mode.
Account Lockout Policy
Account Lockout Threshold
The number of consecutive failed logon attempts that cause an account to be locked.
Valid values: 0 to 999. Default value: 5. If you set this parameter to 0, the system never locks an account.
Account Lockout Duration
The duration within which a locked account cannot be used to log on to the system. Unit: minutes.
Valid values: 0 to 10080. Default value: 30. If you set this parameter to 0, an account is locked until a Bastionhost administrator unlocks the account.
Reset Account Lockout Counter After
The period of time that must elapse from the time when a user fails to log on to the system before the failed logon attempt counter is reset to 0. This parameter takes effect when the number of failed logon attempts does not exceed the specified value of Account Lockout Threshold. Unit: minutes.
For example, you set Account Lockout Threshold to 5 and Reset Account Lockout Counter After to 5. If you use an invalid password to attempt to log on to the system for the fourth time at 14:00:00 and you do not use an invalid password to attempt to log on to the system again from 14:00:00 to 14:05:00, the failed logon attempt counter is reset to 0 after 14:05:00 on the current day.
Valid values: 0 to 10080. Default value: 5.
User Status Settings
Password Validity Period
The validity period of a password. After the validity period elapses, password reset is required. This parameter takes effect only for local users.
Valid values: 0 to 365. Default value: 0. Unit: days. If you set this parameter to 0, a password never expires.
Mark Inactive User Accounts
The number of days after which an account is marked as Inactive. If an account is not used to log on to the system within the specified period of time, the account is marked as Inactive. Unit: days.
Valid values: 0 to 365. Default value: 0. If you set this parameter to 0, an account is never marked as Inactive.
Automatically Lock Inactive User Accounts
After you turn on the switch, the system automatically locks users who have not logged on to the bastion host for a long period of time. The locked users can log on to the bastion host again only after a Bastionhost administrator unlocks the users.
Automatic Synchronization of Status and Information About AD- and LDAP-authenticated Users
The interval at which the configurations and status of the Active Directory (AD)-authenticated or Lightweight Directory Access Protocol (LDAP)-authenticated users imported into Bastionhost are automatically synchronized. Unit: minutes.
Valid values: 15 to 14400. Default value: 240.
Click Save.