Overview
Version
| FineBI Version | App Version |
| 6.0 | 11.0 |
Functions
If SMS verification is not enabled, there is no limit on the number of failed login attempts. Then brute force attacks can be performed to crack passwords, gravely threatening platform security.
Adding a feature to defend against brute force attacks is important to improve product security.
Enable Login Lock to prevent brute force attacks.
Note: Procedures
Enabling Login Lock
Log into FineBI as admin and choose System Management > System Setting > Login to enable Login Lock, as shown in the following figure.
Error Time Limit
For example, if setting the threshold to five attempts and a 60-minute lockout, you will receive a message that it has been and will be locked for 60 minutes after five failed login attempts.
The effect on PC is shown in the following figure.
The effect on mobile terminals is shown in the following figure.
Lock Target
Note:
Users who use Nginx reverse proxy are advised to select Account as the lock target, otherwise it may prevent all users from logging in to the platform. For details, see section "Failed Login for All Users".
Lock Target includes Account and IP.
1. Account: When account is locked, a common account remains locked when you switch devices. When the admin account lockout is enabled, the admin account also remains locked when switching devices.
2. IP: When IP is locked, all accounts on the current device and server are locked. You can log in by switching devices.
Admin Unlock
1. Automatic unlock and manual unlock
It will be automatically unlocked after 60 minutes according to the set lockout duration. It can also be manually unlocked by clicking the unlock icon, as shown in the following figure.
2. Resetting the password after forgetting it
3. Disabling login lock by admins
Notes
Failed Login for All Users
Problem:
Users who use Nginx proxy has selected IP as the locked target in login lock. When the number of failed login attempts exceeds the limit, the login will be locked, and all users will be unable to log in to the decision-making platform.
Cause:
In the case of a proxy, the user's login request first goes to the reverse proxy, which then forwards it to the FineReport project.
So the IP address obtained by the project is the IP address of the server where Nginx is located, and the locked IP address is also the IP address of the server where Nginx is located. That is why all users are unable to log in.
Solution:
You can add request headers in Nginx to carry the user's real IP address, allowing FineReport projects to obtain the user's real IP address.
1. Single layer Nginx proxy
Edit nginx.conf and add the following configuration under the module location.
proxy_set_header X-Forwarded-For $remote_addr;
2. Multi-layer Nginx proxy
On the Nginx proxy server that directly faces to the outside, edit nginx.conf and add the following configuration under the module location.
proxy_set_header X-Forwarded-For $remote_addr;
On the inner Nginx proxy server, edit nginx.conf and add the following configuration under the module location.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
