How to disable a guest account automatically after certain number of wrong password attempts


You might have a situation where you want the guest account to get disabled automatically if a user attempts a certain number of invalid password attempts on the trot. This is to avoid them from finding out the password using brute force. This article helps us in disabling the guest account after a certain number of successive wrong attempts.


We need to make use of Insight to compute the number of bad password attempts from their last successful login attempt. Also we need to make sure that once we reach the maximum number of bad password attempts, we do a post authentication update to disable the corresponding guest account.


We need to have Insight enabled for this to work, so make sure that you have Insight enabled on one node atleast.

We also need an Insight filter to perform the computation for the bad password which you need to add as a custom filter. You need to click on the Insight Authentication source and click on "Add More Filters" option to add a new filter.



The query that performs the required computation is below


SELECT COUNT(*) + 1 AS login_failed_count FROM auth WHERE error_code = 216 AND username = '%{Authentication:Username}' AND timestamp > (SELECT GREATEST ((SELECT timestamp from auth where error_code = 0 AND username = '%{Authentication:Username}' order by timestamp desc limit 1), date_trunc('year', NOW())))


You need to add a new filter name and put in the query above by mapping the right attribute name with an alias of your choice. The alias name will be referenced in your rules


We also need an enforcement profile that can disable the account after the user hits the threshold and that is an enforcement of type post auth


In the service that handles the guest authentication we need to add Insight as an authorization source. 


The rules can be configured as below


Once we do the configuration as per the screenshots above the guest user account will be disabled after 5 wrong password attempts. Please note that for the first login attempt inspite of the authentication being a success or a failure you might see the login failed count as 1, that is because of the +1 in the query and we should ignore that.



You can verify that the configuration stated above is working by testing with a guest account and attempting 5 login attempts with a wrong password. 

Create a guest account that can be used for testing


Try logging in with that account 5 times with an incorrect password, and each time you login with an incorrect password you would see that the "Login Failed Count" increments by 1.  Once it reaches 5, with the help of the enforcement we configured the guest user account gets disabled.



Once the enforcement is done you can go back to guest user accounts and verify that the account is disabled


Version history
Revision #:
2 of 2
Last update:
‎03-01-2017 03:02 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: