Login Lock

Version

Function Description

If SMS verification is not enabled, the number of login failures is not limited. Attackers can log in to the platform through brute-force attacks (by traversal), posing significant security risks to the platform.

Therefore, implementing login protection against brute-force attacks is a critical measure to enhance product safety.

You can enable Login Lock to prevent brute-force attacks.

Note:

This function is supported on mobile terminals.

Enabling Login Lock

Log in to the FineBI system as the admin, choose System Management > System Setting > Login > Login Lock Setting, and enable Login Lock, as shown in the following figure.

Setting the Error Time Limit

For example, if you set Error Time Limit to If Password Error Reaches 5 Time(s), Lock Login for 60 Minute(s), the account used to log in will be locked after five incorrect password attempts within 60 minutes.

1. The following figure shows the effect on PCs.

2. The following figure shows the effect on the DataAnalyst app.

Setting the Lock Object

Note:

If you (the admin) use the NGINX reverse proxy, you are advised to set Lock Object to Account. Otherwise, all users may be unable to log in. For details, see the "All Users Unable to Log in to the Platform" section.

You can select Account or IP as Lock Object.

1. Account: In the locked status, a common account remains locked even on another device. After Lock Admin Account is enabled, in the locked status, the admin account remains locked even on another device.

2. IP: In the locked status, all accounts on the current device and current server are locked. In this case, you can log in using another device.

Unlocking the Account

1. Both automatic and manual unlocking are supported.

If your account is locked, the account can be automatically unlocked after the set lock time (for example, 60 minutes). You can also manually unlock the account by clicking the unlock icon, as shown in the following figure.

2. Alternatively, you can unlock the account via password reset by clicking Forgot Password on the login page.

3. Additionally, as the admin, you can unlock the account by disabling Login Lock.

All Users Unable to Log in to the Platform

Problem:

The NGINX reverse proxy is used in the project and Lock Object is set to IP. In this case, when the password error count exceeds the error count limit, the account is locked, and all users are unable to log in to the FineBI platform.

Cause:

With the NGINX reverse proxy used, the user's login request first goes to the reverse proxy and is then forwarded to the FineBI project by the proxy.

Therefore, the IP address of the server (where NGINX is located) is obtained and locked by the project, causing all subsequent users to be unable to log in.

Solution:

You can add request headers in NGINX proxy configurations to pass the user's real IP address to the FineBI project.

1. Single-Layer NGINX Proxy

You can edit the nginx.conf file and add the following code in the location module, as shown in the following figure.

proxy_set_header X-Forwarded-For $remote_addr;

2. Multi-Layer NGINX Proxy

For the NGINX proxy server that can directly receive the client requests, you can edit the nginx.conf file and add the following code in the location module, as shown in the following figure.

proxy_set_header X-Forwarded-For $remote_addr;

For the inner-layer NGINX proxy server, you can edit the nginx.conf file and add the following code in the location module, as shown in the following figure.

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;