To ensure system security, you can configure user logon settings, account lockout policies, and user status settings. You can configure user logon settings to allow users to use only key pairs for authentication when they log on to a bastion host in SSH mode. You can configure account lockout policies to protect your resources against brute-force attacks. You can also configure the parameters in the User Status Settings section to specify the validity period of passwords and mark accounts that are not used to log on to the system for a long period of time as Inactive.
Log on to the Bastionhost console and select the target region in the top navigation bar.
In the bastion host list, find the target instance and click Manage.
In the navigation pane on the left, click System Settings.
On the User Settings tab, configure the parameters based on the following table and click Save.
Parameter
Description
User Logon Settings
Disable Password-based SSH Logon
If you enable this feature, users can use only key pairs or O&M tokens for authentication when they log on to the bastion host to perform O&M operations based on the SSH protocol or over an SSH tunnel.
Disable SSH Public Key Authentication
If you enable this feature, users can use only passwords or O&M tokens for authentication when they log on to the bastion host to perform O&M operations on hosts using an SSH-based O&M tool or perform O&M operations on databases over an SSH tunnel.
Disable CAPTCHA for Private O&M Portal
If you enable this feature for a user, a completely automated public Turing test to tell computers and humans apart (CAPTCHA) is not performed when the user logs on to the O&M portal of the bastion host using the private endpoint. Upon user logons from the O&M portal, CAPTCHAs can be performed only over a public network. If a user cannot use the client to access the bastion host over the public endpoint, you must enable this feature to ensure that the user can log on to the bastion host from the private O&M portal.
Logon Lock Configuration
Account Lockout Policy
Account Lockout Threshold
The number of consecutive failed logon attempts that cause an account to be locked.
Valid values: 0 to 999. The default value is 5. If you set this parameter to 0, the account is never locked.
Account Lockout Duration
The duration within which a locked account cannot be used to log on to the system. Unit: minutes.
Valid values: 0 to 10080. The default value is 30. If you set this parameter to 0, the user is locked until an administrator unlocks the user.
Reset Account Lockout Counter After
The period of time after which the counter for failed password attempts is reset if the number of failed attempts does not exceed the value of Account Lockout Threshold. Unit: minutes.
NoteFor example, if Account Lockout Threshold is set to 5 and Reset Account Lockout Counter After is set to 5, and you fail to log on with an incorrect password for the fourth time at 14:00:00 and do not make another attempt with an incorrect password between 14:00:00 and 14:05:00, the counter for failed password attempts is reset to 0 after 14:05:00 on the same day.
Valid values: 0 to 10080. The default value is 5.
IP Lockout
Account Lockout Threshold
If the number of logon failures from the same source IP address reaches the specified threshold, the IP address is automatically locked. The default value is 30. If you set this parameter to 0, IP addresses are not locked. Locked IP addresses are not automatically unlocked. You must manually unlock them.
Reset Account Lockout Counter After
Valid values: 1 to 10080. The period of time that must elapse after a logon failure before the logon failure counter is reset to 0. The default value is 5.
IP Addresses in Blacklist
Locked IP addresses are displayed in the table. You must manually unlock an IP address before it can be used to access the bastion host.
User Password Security Settings
Password Validity Period
The validity period of a password. After the validity period elapses, password reset is required. This parameter takes effect only for local users.
Valid values: 0 to 365. The default value is 0. Unit: days. If you set this parameter to 0, the password never expires.
Password History Check
The number of previous passwords that a user cannot use when the user resets a password. Valid values: 0 to 30. The default value is 5. If you set this parameter to 0, no limits are imposed.
User Status Settings
Mark Inactive User Accounts
The number of days after which an account is marked as Inactive. If an account is not used to log on to the system within the specified period of time, the account is marked as Inactive. Unit: days.
Valid values: 0 to 365. The default value is 0. If you set this parameter to 0, the status is not marked.
Automatically Lock Inactive User Accounts
If you enable this feature, the system automatically locks users who are inactive for a long time. The locked users can use their accounts again only after an administrator unlocks their accounts.
You can configure the interval at which the system automatically checks for and locks inactive users. The locked users can use their accounts again only after an administrator unlocks their accounts. The default value is 10 minutes. Valid values: 10 to 1440 minutes, or 1 to 24 hours.
Automatic Synchronization of Status and Information About AD- and LDAP-authenticated Users
The interval at which the configurations and status of the Active Directory (AD)-authenticated or Lightweight Directory Access Protocol (LDAP)-authenticated users imported into Bastionhost are automatically synchronized. Unit: minutes.
Valid values: 15 to 14400. The default value is 240.