Link Search Menu Expand Document Documentation Menu

You're viewing version 2.17 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.

API rate limiting

API rate limiting is typically used to restrict the number of API calls that users can make in a set span of time, thereby helping to manage the rate of API traffic. For security purposes, rate limiting features, by restricting failed login attempts, have the potential to defend against denial of service (DoS) attacks or repeated login attempts intended to gain access through trial and error.

You have the option to configure the Security plugin for username rate limiting, IP address rate limiting, or both. These configurations are made in the config.yml file. See the following sections for information about each type of rate limiting configuration.

Username rate limiting

The username rate limiting configuration limits login attempts by username. When a login fails, the username is blocked from use by any machine in the network. The following example shows config.yml file settings configured for username rate limiting:

auth_failure_listeners:
  internal_authentication_backend_limiting:
    type: username
    authentication_backend: internal
    allowed_tries: 3
    time_window_seconds: 60
    block_expiry_seconds: 60
    max_blocked_clients: 100000
    max_tracked_clients: 100000

The following table describes the individual settings for this type of configuration.

Setting Description
type The type of rate limiting. In this case, username.
authentication_backend The internal backend. Enter internal.
allowed_tries The number of login attempts allowed before login attempts are blocked. Be aware that increasing the number increases heap usage.
time_window_seconds The window of time during which the value for allowed_tries is enforced. For example, if allowed_tries is 3 and time_window_seconds is 60, a username has 3 attempts to log in successfully within a 60-second time span before login attempts are blocked.
block_expiry_seconds The window of time during which login attempts remain blocked after a failed login. After this time elapses, login is reset and the username can attempt to log in again.
max_blocked_clients The maximum number of blocked usernames. This limits heap usage to avoid a potential DoS attack.
max_tracked_clients The maximum number of tracked usernames with failed login attempts. This limits heap usage to avoid a potential DoS attack.

IP address rate limiting

The IP address rate limiting configuration limits login attempts by IP address. When a login fails, the IP address specific to the machine being used for login is blocked.

Configuring IP address rate limiting involves two steps. First, set the challenge setting to false in the http_authenticator section of the config.yml file:

http_authenticator:
  type: basic
  challenge: false

For more information about this setting, see HTTP basic authentication.

Second, configure the IP address rate limiting settings. The following example shows a completed configuration:

auth_failure_listeners:
  ip_rate_limiting:
    type: ip
    allowed_tries: 1
    time_window_seconds: 20
    block_expiry_seconds: 180
    max_blocked_clients: 100000
    max_tracked_clients: 100000

The following table describes the individual settings for this type of configuration.

Setting Description
type The type of rate limiting. In this case, ip.
allowed_tries The number of login attempts allowed before login attempts are blocked. Be aware that increasing the number increases heap usage.
time_window_seconds The window of time during which the value for allowed_tries is enforced. For example, if allowed_tries is 3 and time_window_seconds is 60, an IP address has 3 attempts to log in successfully within a 60-second time span before login attempts are blocked.
block_expiry_seconds The window of time during which login attempts remain blocked after a failed login. After this time elapses, login is reset and the IP address can attempt to log in again.
max_blocked_clients The maximum number of blocked IP addresses. This limits heap usage to avoid a potential DoS attack.
max_tracked_clients The maximum number of tracked IP addresses with failed login attempts. This limits heap usage to avoid a potential DoS attack.
ignore_hosts A list of IP addresses or hostname patterns to ignore for rate limiting. config.dynamic.hosts_resolver_mode must be set to ip-hostname to support hostname matching.
350 characters left

Have a question? .

Want to contribute? or .