Brute Force Protection Non-Functional

We recently noticed some brute force attacks on our Grafana site. When looking into options for brute force protection, I came across the Grafana configuration parameter, disable_brute_force_protection, which is set to False by default. I have not changed it in my configuration. However, I ran a test to enter the wrong password for an existing username and I was able to enter the wrong password 20-30 times before giving up. What is the status of this feature? Does it actually work?

1 Like

Should this question be asked in someother forum to get a reply?

@csheaupdesigns I tested this and initially thought it wasn’t working because I expected to see something in the UI telling me that I exceeded my login attempts.

When I tried to log in after 20+ bad passwords, I could not log in with the correct password. So I decided to search the code, which works after 5 failed attempts - BUT - the UI didn’t tell me how many tries I had left or when the account was locked.

I’d suggest opening an issue in github for this to find out if the current UI behavior was intentional or open a discussion about changing it.

I opened a docs PR to find out if we want to document the expected behavior.