From 0d8ee5e6a95d767e432e8f696fbc95e9a04de24c Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sun, 23 Apr 2017 18:57:45 +0200
Subject: [PATCH] config: increased the default max-ban-score to 8 wrong
 password attempts

This still prevents abuse, while allowing few more attempts than 5, which
are typically easily reached through software which remembers passwords.
At the same time increase the default ban time to 20 minutes.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 NEWS                | 2 ++
 doc/sample.config   | 4 ++--
 src/ocserv-args.def | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 365ed8ad..cd91fbfc 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@
 - Report additional statistics to syslog and occtl, such as authentication failures,
   total sessions handled, total amount of data transferred, average session and
   authentication time.
+- Increased the default max-ban-score to 8 wrong password attempts, and
+  increased the default IP ban time to 20 minutes.
 
 
 * Version 0.11.7 (released 2017-02-12)
diff --git a/doc/sample.config b/doc/sample.config
index 7754ce44..57f4acad 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -328,10 +328,10 @@ min-reauth-time = 300
 # locally from an HTTP server (i.e., when listen-clear-file is used).
 #
 # Set to zero to disable.
-max-ban-score = 50
+max-ban-score = 80
 
 # The time (in seconds) that all score kept for a client is reset.
-ban-reset-time = 300
+ban-reset-time = 1200
 
 # In case you'd like to change the default points.
 #ban-points-wrong-password = 10
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index 111a28d9..ee97e3e2 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -425,10 +425,10 @@ min-reauth-time = 120
 # locally from an HTTP server (i.e., when listen-clear-file is used).
 #
 # Set to zero to disable.
-max-ban-score = 50
+max-ban-score = 80
 
 # The time (in seconds) that all score kept for a client is reset.
-ban-reset-time = 300
+ban-reset-time = 1200
 
 # In case you'd like to change the default points.
 #ban-points-wrong-password = 10