Skip to Content
Admin ConsoleSecurity Settings

Security Settings

The Security section of the Console provides controls for protecting your Auris tenant against unauthorized access, credential stuffing, brute-force attacks, and automated abuse. All security protections operate at the platform level and apply across all applications in your tenant.

Access Security Settings via ConsoleSettingsSecurity.


IP Allow / Block Lists

IP rules let you explicitly permit or deny login attempts from specific IP addresses or CIDR ranges. Rules are evaluated before authentication, meaning a blocked IP is rejected before any credentials are checked.

How Rules Work

Auris evaluates IP rules in the following order:

  1. Block rules are checked first. If the incoming IP matches any block rule, the request is rejected immediately.
  2. Allow rules are checked next. If the tenant has any allow rules configured and the incoming IP does not match any allow rule, the request is rejected.

This means:

  • If you have no IP rules, all IPs are permitted
  • If you have only block rules, all IPs except those blocked are permitted
  • If you have any allow rules, only IPs matching those allow rules are permitted (plus any explicitly blocked rules override the allow rules)

Rule Scope

ScopeBehavior
Tenant-wideApplies to all login attempts across all applications
Per-applicationApplies only when logging in to a specific registered application

Adding an IP Rule

Open IP Rules

Go to SettingsSecurityIP Allow / Block Lists.

Click Add Rule

Click the Add Rule button.

Fill in the rule details

FieldRequiredDescription
CIDR RangeYesIP address or CIDR block (for example, 192.168.1.0/24 or 203.0.113.42/32)
Rule TypeYesAllow or Block
ScopeYesTenant-wide or a specific application
LabelNoA short name for administrative reference (for example, “Office Network”)
NoteNoAdditional details about why this rule exists
TemporaryNoWhether this rule expires automatically
Expires AtIf temporaryThe datetime when this rule is automatically removed

Save

Click Save. The rule takes effect immediately.

Common Use Cases

  • Block a known bad actor’s IP range: Add a block rule for the attacker’s CIDR range
  • Restrict an admin application to office IPs: Add allow rules for your office IP ranges and set scope to the admin application
  • Temporary access for a contractor: Add a temporary allow rule that expires after their engagement ends

Be careful when adding tenant-wide allow rules. If you add an allow rule without also having rules that cover all legitimate users’ IP ranges, you may lock users out. Always test with a specific application scope before applying allow rules tenant-wide.


Brute-Force Protection

Brute-force protection automatically locks out user accounts after a configured number of consecutive failed login attempts. This defends against password guessing and credential stuffing attacks.

Configuration

Go to SettingsSecurityBrute-Force Protection.

SettingDescriptionDefault
Failed Attempts ThresholdNumber of consecutive failures before lockout10
Lockout DurationHow long the account is locked (minutes)15
Lockout Duration MultiplierMultiplier applied to lockout duration for repeated lockouts1 (no escalation)
Lockout ScopeLock per IP, per account, or bothPer account

Lockout Duration Multiplier

When set above 1, each subsequent lockout for the same account increases the lockout duration:

  • First lockout: 15 minutes
  • Second lockout (multiplier = 2): 30 minutes
  • Third lockout: 60 minutes
  • And so on

This escalation policy makes repeated automated attacks progressively more expensive.

Managing Locked Accounts

The Locked Accounts table on the Brute-Force Protection page shows all currently locked accounts:

ColumnDescription
UserEmail and name
Locked SinceWhen the account was locked
Unlocks AtWhen the lockout automatically expires
ReasonWhich protection tier triggered the lockout

Manual Unlock

Click Unlock next to any account to immediately release the lockout without waiting for the timer. Use this when a legitimate user contacts support after being locked out.


Suspicious Login Detection

Suspicious login detection analyzes each successful login for behavioral signals that may indicate account compromise. Unlike brute-force protection (which triggers on failures), suspicious login detection runs after authentication succeeds.

Detection Methods

Enable or disable each detector independently:

DetectorDescriptionRecommended
New DeviceLogin from a device fingerprint not previously seen for this userYes
New IP AddressLogin from an IP not previously used by this userOptional (high volume on mobile)
New CountryLogin from a country not previously seen for this userYes
Impossible TravelLogin location is physically unreachable from the previous login location in the elapsed timeYes
VPN / ProxyLogin IP is identified as a VPN exit node, proxy server, or data centerOptional

Actions Per Detection

For each detection type, configure what happens when a suspicious login is detected:

ActionBehavior
Log OnlyRecord the event in audit logs. No user impact.
Notify UserSend an email to the user informing them of the suspicious login.
Block LoginReject the authentication, even after successful credentials and MFA.
Require MFADemand an additional MFA factor if not already completed.

You can set different actions for different detection types. A recommended starting configuration:

DetectorAction
New DeviceNotify User
New CountryRequire MFA
Impossible TravelBlock Login
VPN / ProxyLog Only

Impossible Travel Configuration

SettingDescriptionDefault
Maximum Travel SpeedMaximum km/h that the algorithm considers physically possible900 km/h (airplane speed)
GeoIP ProviderThe service used for IP-to-location mappingip-api.com (free)

GeoIP Providers

ProviderCostAccuracyNotes
ip-api.comFree (1000 req/min)City levelGood for most use cases
MaxMind GeoIP2Paid licenseCity levelHigher accuracy, offline database

To use MaxMind, enter your MaxMind license key in the GeoIP configuration and Auris will use the MaxMind API for lookups.

Reviewing Suspicious Login Events

Go to SettingsSecuritySuspicious Logins to see a table of all detected events:

ColumnDescription
UserWho authenticated
TimestampWhen the login occurred
Detection ReasonWhich detector was triggered
SeverityLow, Medium, or High
Action TakenWhat Auris did (log, notify, block, require MFA)
ReviewedWhether an administrator has reviewed this event

Click any event to see full details including the source IP, resolved location, device fingerprint, and the previous login data that triggered the anomaly.

Mark events as reviewed to track which suspicious logins have been investigated.


CAPTCHA

CAPTCHA integration adds a bot challenge to specified authentication pages, reducing automated account creation, login abuse, and credential stuffing attacks.

Supported Providers

ProviderTypeNotes
Cloudflare TurnstileChallenge-free / invisibleRecommended. No user interaction required in most cases.
hCaptchaImage challengePrivacy-focused alternative to reCAPTCHA
reCAPTCHA v3Score-based / invisibleScore-based, no explicit challenge shown to users

Configuration

Select a CAPTCHA provider

Go to SettingsSecurityCAPTCHA and choose your provider from the dropdown.

Obtain credentials from the provider

  • Cloudflare Turnstile: Create a site at dash.cloudflare.com  under Turnstile. Copy the Site Key and Secret Key.
  • hCaptcha: Register at hcaptcha.com  and create a site. Copy the Site Key and Secret Key.
  • reCAPTCHA v3: Register at google.com/recaptcha . Copy the Site Key and Secret Key.

Enter credentials in the Console

Enter the Site Key (public, used in the browser) and Secret Key (used server-side for verification) in the CAPTCHA configuration form.

Configure the trigger

TriggerBehavior
AlwaysCAPTCHA challenge on every page load, for every user
On SuspiciousCAPTCHA triggered only when the IP or user agent appears suspicious
After FailuresCAPTCHA triggered after a configurable number of failed login attempts

Choose which pages show CAPTCHA

Toggle which authentication pages should include the CAPTCHA challenge:

  • Login page
  • Registration page
  • Password reset page

Set score threshold (reCAPTCHA v3 and Turnstile only)

For score-based providers, set the minimum score to accept. Requests scoring below the threshold are rejected as likely bots. Recommended starting value: 0.5.

Cloudflare Turnstile is the recommended provider because it is privacy-preserving, works without user interaction in most cases (no image puzzles), and is free for most traffic volumes. If your application is served behind Cloudflare, Turnstile performance is significantly improved.


Rate Limiting

Auris applies sliding-window rate limiting to all API endpoints to prevent abuse and protect against denial-of-service conditions. Rate limiting is configured at the platform level and is not fully customizable from the Console, but the current limits are visible in the Console.

Rate Limit Tiers

Go to SettingsSecurityRate Limiting to view the current configuration:

TierApplies ToDefault LimitWindow
AuthLogin, token exchange, password reset, magic link request10 requests1 minute
SensitiveMFA verification, account settings changes, email changes5 requests1 minute
APIAll authenticated API requests100 requests1 minute
PublicUnauthenticated endpoints (OIDC discovery, JWKS, health)30 requests1 minute

Rate Limit Response Headers

When a rate limit is applied, the API returns HTTP 429 Too Many Requests with standard headers:

X-RateLimit-Limit: 10 X-RateLimit-Remaining: 0 X-RateLimit-Reset: 1736000000 Retry-After: 60

Note: Rate limit thresholds are configurable at the infrastructure level in apps/api/.env. The Console page is read-only and shows the currently active configuration.


Attack Protection Dashboard

Go to SettingsAttack Protection for an overview dashboard showing security activity across all protection layers:

  • Recent Blocked Attempts: Timeline chart of IP-blocked requests over the last 7 days
  • Brute-Force Lockouts: Count of account lockouts, most targeted accounts
  • Suspicious Login Events: Count by severity, actions taken
  • CAPTCHA Failures: Rate of requests rejected by CAPTCHA score threshold

Use this dashboard during a suspected attack to monitor protection effectiveness in real time.