Articles in this section

See more

Invalid login attempts protection in Aura

Rajesh Thennan
  • Updated
Follow

Neo4j has two built-in security configuration settings for handling invalid login attempts (possible brute force attacks), and these are implemented in Aura as explained below:

  1. dbms.security.auth_lock_time:
    • The amount of time the user account will be locked after a configured number of unsuccessful authentication attempts.
    • The locked-out user will not be able to log in until the lock period expires, even if correct credentials are provided. 
    • Aura instances currently has a value of 5 seconds for dbms.security.auth_lock_time

  2. dbms.security.auth_max_failed_attempts:
    • The maximum number of unsuccessful authentication attempts before imposing a user lock for the configured amount of time, as defined by dbms.security.auth_lock_time.
    • The locked-out user will not be able to log in until the lock period expires, even if correct credentials are provided. 
    • Aura instances currently has a value of 3 for dbms.security.auth_max_failed_attempts

 

Can these values be customized?
The above settings are hardcoded server-side settings universally applicable to all Aura instances and cannot be customized.

 

How do I know if my user is locked?

Using Cypher-shell:

  • Connection attempts from cypher-shell will fail with the message 'The client has provided incorrect authentication details too many times in a row.'cypherShellFail.png

Using the Neo4j Browser:
When such a user lock is in place, users attempting to connect (even with valid credentials) will get a response similar to the below one while trying to login through the Neo4j browser :
mceclip0.png

If you receive a message like "'Could not perform discovery...." in the web browser:

  1. Open the web browser's developer tools and navigate to the 'Network' section.
  2. Try connecting to the Aura instance again.
  3. You'll be able to see log entries with the name <DBID>.databases.neo4j.io
    networkLogs1.png
  4. Click the first entry in the network logs with this name and then navigate to the 'Messages' tab.
    networkLogs2.png
  5. Click the last 'Binary Message'. You will be able to see the message "ClientError.Security.AuthenticationRateLimit.message.The client has provided incorrect authentication details too many times in a row..."
    networkLogs3.png

 

When the user lock is in place, programmatic connection attempts (like Neo4j drivers) will fail with messages similar to the below ones:

 

Javascript:

Could not perform discovery. No routing servers available. 
Known routing table: RoutingTable[database=default database, expirationTime=0, currentTime=xxxxxxx, routers=[], readers=[], writers=[]]

Python:

Could not connect to any routing servers.

Java, SDN, and Go: 

The client has provided incorrect authentication details too many times in a row.

 

Will the user lock impact existing connections?
The user lock will only affect new connection attempts. Existing / Ongoing successful connections will not be affected by the user lock.

Tags: securityTags: authenticationTags: LoginTags: dbms.security.auth_max_failed_attemptsTags: auth_max_failed_attemptsTags: dbms.security.auth_lock_timeTags: auth_lock_timeTags: AuthenticationRateLimitTags: authentication details

Related articles

Comments

0 comments

Please sign in to leave a comment.