Rate limiting logins in PaperCut MF
PaperCut 18.3 introduced a security enhancement to rate limit authentication attempts in line with OWASP recommendations. This hardens deployments against password brute forcing attacks, by failing authentication requests when the number of incorrect login requests exceeds the limit.
The rate limits apply for built-in admin users and all internal users managed by the server. For users external to the server, such as those from an external user source, the authentication is delegated to the source itself and should be configurable there.
The limits apply across all of the servers’ login interfaces and APIs and are based per client IP. The default limit is 20 incorrect logins per 60 seconds per IP, which can be changed via
user.security.ip-rate-limit-per-min config key. Admins are alerted of the limit activation via an application log message.
Please note previously
client.api.security.rate-limit.enabled was used to control this functionality in client. This key is now deprecated and controlled via
user.security.ip-rate-limit-per-min. If it was previously disabled it will be re-enabled by the virtue of the new config key, therefore it will need to be set to a negative value to disable it.