Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

WebUI too many login attempts

Featured Replies

I was a dumbass and let my password manager autofill a few times before realizing it had the wrong thing saved.

 

So now I am locked out of the WebUI.

 

I can still SSH in, so is there a way to reset the WebUI login attempts?

  • Community Expert
4 minutes ago, tknx said:

I was a dumbass and let my password manager autofill a few times before realizing it had the wrong thing saved.

 

So now I am locked out of the WebUI.

 

I can still SSH in, so is there a way to reset the WebUI login attempts?

 

This is mentioned in the 6.9.2 release notes.

  • 1 month later...
On 4/14/2021 at 8:38 AM, tknx said:

I was a dumbass and let my password manager autofill a few times before realizing it had the wrong thing saved.

 

So now I am locked out of the WebUI.

 

I can still SSH in, so is there a way to reset the WebUI login attempts?

 

I just did the same exact thing just now!
 

On 4/14/2021 at 8:45 AM, itimpi said:

 

This is mentioned in the 6.9.2 release notes.

Thanks for this.

  • 4 months later...
On 4/14/2021 at 11:45 AM, itimpi said:

 

This is mentioned in the 6.9.2 release notes.

For other people looking for the answer without having to click through. 

 

It's 3 failed attempts in a 15 minute interval

  • 2 months later...

Great. How do I manually reset the counter via SSH.

How do I increase the failed attempt count to something reasonable like 10 attempts within 15 minutes?

IMO, a limit of 3 is asinine.

  • 4 weeks later...
On 1/4/2022 at 8:34 PM, bitcore said:

Great. How do I manually reset the counter via SSH.

How do I increase the failed attempt count to something reasonable like 10 attempts within 15 minutes?

IMO, a limit of 3 is asinine.

In the doc they refer to /var/log/pwfail/<ip-address>

I tried to ssh into the server and delete the file created for my failed attempts, my ip address.

And it worked, no need to wait 15 min. :)

Edited by Plasmon
typo

  • 1 month later...
cd /var/log/pwfail

rm [IP.ADDRESS.OF.DEVICE.USED.WHICH.FAILED.LOGIN.]

 

Thanks a million.

  • 1 month later...
On 10/26/2021 at 1:18 PM, jxjelly said:

For other people looking for the answer without having to click through. 

 

It's 3 failed attempts in a 15 minute interval

Great. I fat fingered my login because my password locker wasn't available at the time.

 

This isn't seeing the forest for the trees. The Web UI wouldn't be a vector of attack. SSH is already open - this is where attackers would focus their efforts in a serious security breach. Well, maybe the web ui could be used for a 'bobby tables' type of situation.

 

exploits_of_a_mom.png

 

Sigh. I guess it would be a vector of attack... (yes I just literally talked myself out of my own argument)

Edited by jaylo123

  • 1 month later...
On 3/20/2022 at 5:18 PM, Phaiz said:
cd /var/log/pwfail

rm [IP.ADDRESS.OF.DEVICE.USED.WHICH.FAILED.LOGIN.]

 

Thanks a million.

 

I was stuck, but this worked for me after I removed the brackets. Just rm and the IP.

  • 4 months later...

Anyone know how to change this to a more sane value? 3 failed attempts before a 15 minute cool down is super paranoia levels.

 

3 failed attempts and a 90 second cool down? Reasonable.

10 failed attempts and a 15 minute cool down? Reasonable.

 

3 failed attempts and a 15 minute cool down is super annoying. My laptop keyboard is crappy and often misses letters, and it takes me 3 attempts just to remember my username anyway...

9 hours ago, pconwell said:

it takes me 3 attempts just to remember my username anyway...

root is the only option

  • 5 months later...

@pconwell This has happened to me twice in my own home within my own isolated network. Unfortunately the defaults are hard coded in /usr/local/emhttp/login.php. You could edit that file but it probably won't survive an update.

As a dirty workaround, I disabled this feature by changing the "/var/log/pwfail" folder into a file:

rm -r /var/log/pwfail
touch /var/log/pwfail

You could also create a cron job to delete the files in that folder but this way is simpler. The next time you enter your password incorrectly three times in a row you'll just see an error message saying it can't write to that folder and you won't be locked out of your own computer.

Of course if you're on a shared network think twice about doing this. Your computer, your choice.

  • 1 month later...
On 10/27/2021 at 2:18 AM, jxjelly said:

For other people looking for the answer without having to click through. 

 

It's 3 failed attempts in a 15 minute interval

thanks very much!

  • 1 month later...
On 3/20/2022 at 10:18 PM, Phaiz said:
cd /var/log/pwfail

rm [IP.ADDRESS.OF.DEVICE.USED.WHICH.FAILED.LOGIN.]

This no longer works btw., I get a server error 500 trying to log into the web interface whenever I do that.

  • 4 months later...
On 8/3/2023 at 2:19 PM, AbstractionMage said:

This no longer works btw., I get a server error 500 trying to log into the web interface whenever I do that.

Confirmed working today, tested myself. Submitted 3 bogus logins, ssh'd into the server, removed /var/log/my.ip.add.ress, and was able to log in immediately. Your 500 error is likely unrelated.

  • 3 weeks later...
  • Community Expert

Had my turn today.

Was able to change IP of PC logging in from LAN (.14 > .214 in my case) and it worked.  The principle may work in a remote scenario if using vpn to change the ip.

  • 3 months later...
  • Community Expert

I would also like to know how (if possible) to increase the failed attempts, or decrease the wait time, since I only know what SSH does from watching movies and TV.

  • 2 months later...

To increase the number of attempts or lockout length edit `/vim/security/faillock.conf` (you'll need to restart or restart services)

  • 4 weeks later...
On 3/20/2022 at 10:18 PM, Phaiz said:
cd /var/log/pwfail

rm [IP.ADDRESS.OF.DEVICE.USED.WHICH.FAILED.LOGIN.]

 

Thanks a million.

This! 
To make it extremely simple;

#Step 1: Navigate to the Folder Containing the Password Failure Logs
cd /var/log/pwfail

#Step 2: Inspect the Log File Manually
#You can manually inspect the log file to view the dates and times of failed login attempts.

nano <IP_ADDRESS_OF_DEVICE>

#Step 3: Delete the Log File
#If you wish to delete the log file, use the following command:

rm <IP_ADDRESS_OF_DEVICE>

 

Edited by Dronkie
codeblocks were hard to read

On 4/16/2023 at 5:07 PM, urUser said:

@pconwell This has happened to me twice in my own home within my own isolated network. Unfortunately the defaults are hard coded in /usr/local/emhttp/login.php. You could edit that file but it probably won't survive an update.

As a dirty workaround, I disabled this feature by changing the "/var/log/pwfail" folder into a file:

rm -r /var/log/pwfail
touch /var/log/pwfail

You could also create a cron job to delete the files in that folder but this way is simpler. The next time you enter your password incorrectly three times in a row you'll just see an error message saying it can't write to that folder and you won't be locked out of your own computer.

Of course if you're on a shared network think twice about doing this. Your computer, your choice.

 

I'm dumb and I did this and now when I login (with correct username and password), I just get a blank white screen in the WebGUI. Anybody know how to fix this?

 

EDIT: Never mind, just reset the server and we're back in action. Carry on.

Edited by cbtiger

  • 3 months later...

This is a dumb as hell issue.

I have to watch a whole anime episode before, I get to try again.

 

Seriously, i'm just going to make my password super simple, and have it auto save'd in the browser. and disable it from logging failed password attempts. 

 

 

  • 3 weeks later...
On 7/8/2024 at 2:26 PM, 53kl2s said:

To increase the number of attempts or lockout length edit `/vim/security/faillock.conf` (you'll need to restart or restart services)

 

This file doesn't exist, at least not on version 7.

I found one at etc/security/faillock.conf but changes on this file are not persistent after reboot.

 

Pretty annoying this isn't easily configurable to be honest, devs should stop being so opinionated on paid applications IMO.

 

 

  • 1 month later...
  • 3 weeks later...

After rebooting the server could not login error message could not connect.

Connected my HDMI cable and forced a hard reset watched the screen and no errors

Try to login from the login screen and get an invalid login

 

I can ping the ip address and name it's all fine.

Connect an ethernet cable to my laptop and still won't connect

 

Can't connect through the network it worked all day until reboot. Can someone come up with a few suggestions?
 

 

 

  • 11 months later...

And today it's my turn.

Just adding that this is an incredibly short sighted and such a stupid annoying limit that will only affect real users without 0 additional protection.

Make it 7 or 10 in 15min + 3 in 2 min or whatever.

Like honestly, who didn't think this through and decided to implement this?

Come on now, do better.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.