Neo4j has two built-in security configuration settings for handling invalid login attempts (possible brute force attacks), and these are implemented in Aura as explained below:
- dbms.security.auth_lock_time:
- The amount of time the user account will be locked after a configured number of unsuccessful authentication attempts.
- The locked-out user will not be able to log in until the lock period expires, even if correct credentials are provided.
- Aura instances currently has a value of 5 seconds for dbms.security.auth_lock_time
- dbms.security.auth_max_failed_attempts:
- The maximum number of unsuccessful authentication attempts before imposing a user lock for the configured amount of time, as defined by
dbms.security.auth_lock_time
. - The locked-out user will not be able to log in until the lock period expires, even if correct credentials are provided.
- Aura instances currently has a value of 3 for dbms.security.auth_max_failed_attempts
- The maximum number of unsuccessful authentication attempts before imposing a user lock for the configured amount of time, as defined by
Can these values be customized?
The above settings are hardcoded server-side settings universally applicable to all Aura instances and cannot be customized.
How do I know if my user is locked?
Using Cypher-shell:
- Connection attempts from cypher-shell will fail with the message 'The client has provided incorrect authentication details too many times in a row.'
Using the Neo4j Browser:
When such a user lock is in place, users attempting to connect (even with valid credentials) will get a response similar to the below one while trying to login through the Neo4j browser :
If you receive a message like "'Could not perform discovery...." in the web browser:
- Open the web browser's developer tools and navigate to the 'Network' section.
- Try connecting to the Aura instance again.
- You'll be able to see log entries with the name <DBID>.databases.neo4j.io
- Click the first entry in the network logs with this name and then navigate to the 'Messages' tab.
- Click the last 'Binary Message'. You will be able to see the message "ClientError.Security.AuthenticationRateLimit.message.The client has provided incorrect authentication details too many times in a row..."
When the user lock is in place, programmatic connection attempts (like Neo4j drivers) will fail with messages similar to the below ones:
Javascript:
Could not perform discovery. No routing servers available.
Known routing table: RoutingTable[database=default database, expirationTime=0, currentTime=xxxxxxx, routers=[], readers=[], writers=[]]
Python:
Could not connect to any routing servers.
Java, SDN, and Go:
The client has provided incorrect authentication details too many times in a row.
Will the user lock impact existing connections?
The user lock will only affect new connection attempts. Existing / Ongoing successful connections will not be affected by the user lock.
Comments
0 comments
Please sign in to leave a comment.