diff --git a/website/docs/admin/000_intro.md b/website/docs/admin/000_intro.md index f8623fd4..c6d2ef1f 100644 --- a/website/docs/admin/000_intro.md +++ b/website/docs/admin/000_intro.md @@ -261,15 +261,30 @@ To restrict OpenAdmin access to your team, whitelist your server's IP addresses As an additional security measure, HTTP Basic Authentication can be enabled for the admin panel. ### Brute-Force Protection -OpenAdmin includes built-in [rate limiting](https://i.postimg.cc/VfgmKCvx/ratelimiting.png) and [IP blocking](https://i.postimg.cc/053g4dsB/2024-11-01-12-25.png) to protect against brute-force attacks. You can configure the maximum number of failed login attempts allowed per IP (default is `5`) and the total number of failed attempts (default is `20`), after which the offending IP will be temporarily blocked by the firewall for one hour. -Limits are configurable in: `/etc/openpanel/openadmin/config/admin.ini` file: +Both user and admin interfaces have a built-in rate limiting and IP address blocking to protect against brute-force attacks. You can configure the maximum number of failed login attempts allowed per IP (default is `5`) and the total number of failed attempts (default is `20`), after which the offending IP will be temporarily blocked by the firewall for one hour. + +For user panel imits are configurable in: `/etc/openpanel/openpanel/conf/openpanel.config` file: +```bash +[USERS] +login_ratelimit=5 +login_blocklimit=20 +``` + +![user ratelimit](/img/panel/v1/user_block.png) + +For admin panel imits are configurable in: `/etc/openpanel/openadmin/config/admin.ini` file: ```bash [PANEL] login_ratelimit=5 login_blocklimit=20 ``` +![admin ratelimit](/img/admin/admin_block.png) + +If a user successfully logs in, the counter for `login_blocklimit` will reset. +Failed login attempts and blocked IP addresses are logged in the `/var/log/openpanel/admin/failed_login.log` file for OpenAdmin and in the `/var/log/openpanel/user/failed_login.log` file for OpenPanel. + ### IP blocking per domain Users can block IP addresses per domain name.