Authelia Get started

Regulation

Authelia can temporarily ban accounts when there are too many authentication attempts on the username / password endpoint. This helps prevent brute-force attacks.

Configuration

Example Configuration

This section is intended as an example configuration to help users with a rough contextual layout of this configuration section, it is not intended to explain the options. The configuration shown may not be a valid configuration, and you should see the options section below and the navigation links to properly understand each option individually.

configuration.yml 
regulation:
  modes:
    - 'user'
    - 'ip'
  max_retries: 3
  find_time: '2m'
  ban_time: '5m'

Options

This section describes the individual configuration options.

modes

list(string) ['user'] not required

The modes for regulation. The table below describes each option. The recommended mode is ip. It should be noted that, regardless of the currently configured ban modes, if bans exist in the database, the user or IP will be denied access. See the authelia storage bans command for information on managing ban entries.

Mode Description
user The user account is the subject of any automatic bans
ip The remote ip is the subject of any automatic bans

max_retries

integer 3 not required

The number of failed login attempts before a user may be banned. Setting this option to 0 disables regulation entirely.

find_time

string integer duration 2 minutes not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

The period of time analyzed for failed attempts. For example if you set max_retries to 3 and find_time to 2m this means the user must have 3 failed logins in 2 minutes.

ban_time

string integer duration 5 minutes not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

The period of time the user is banned for after meeting the max_retries and find_time configuration. After this duration the account will be able to login again.

Last updated on March 11, 2025
Edit this page on GitHub
Prev
Access Control
Next
Password Policy