Configuring Threat Protection
Auris provides three configurable protection layers that work together in the login security pipeline: IP rules (network-level blocking), suspicious login detection (behavioral analysis), and CAPTCHA (bot mitigation). Each layer operates independently and can be configured to match your security requirements.
This guide walks through the practical setup of each layer and explains how they fit into the full login pipeline.
Protection Layers Overview
| Layer | What It Does | Where It Runs | Latency Impact |
|---|---|---|---|
| IP Allow/Block Lists | Block or allow requests based on source IP/CIDR range | Before authentication | Negligible (in-memory CIDR match) |
| CAPTCHA | Challenge bots and automated scripts | Before authentication | 100-500ms (external verification API) |
| Suspicious Login Detection | Detect anomalous login behavior (new device, impossible travel, VPN) | After authentication | 50-300ms (GeoIP lookup) |
All three layers are non-blocking to each other — configuring one does not affect the others.
IP Allow/Block Lists
IP rules use CIDR notation to control which IP addresses can access your tenant’s authentication endpoints.
Rule Types and Precedence
| Rule Type | Behavior |
|---|---|
| BLOCK | Immediately reject requests from matching IPs with HTTP 403 |
| ALLOW | Explicitly permit traffic from matching IPs |
Precedence: BLOCK rules always take priority over ALLOW rules within the same scope. If an IP matches both a BLOCK and an ALLOW rule, it is blocked.
Scope
Rules can be scoped at two levels:
- Tenant scope (
scope: TENANT) — applies to all applications under the tenant - Application scope (
scope: APPLICATION) — applies only to a specific application
Application-scoped rules are evaluated after tenant-scoped rules. A tenant-level BLOCK cannot be overridden by an application-level ALLOW.
Setting Up IP Rules
Navigate to IP Rules
In the Auris Console, go to Settings -> IP Rules.
Create a Block Rule
Click Add Rule and configure:
{
"cidr": "203.0.113.0/24",
"type": "BLOCK",
"scope": "TENANT",
"label": "Known attack source",
"note": "Blocked after credential stuffing attack on 2025-06-01"
}Create a Temporary Block
For time-limited blocks (e.g., during an active attack), enable the temporary flag:
{
"cidr": "198.51.100.42/32",
"type": "BLOCK",
"scope": "TENANT",
"label": "Temporary block - active attack",
"isTemporary": true,
"expiresAt": "2025-07-01T00:00:00Z"
}Temporary rules are automatically deactivated after the expiry time.
Create an Office Allow List
If you want to ensure your corporate IPs are always permitted (even during broad blocks):
{
"cidr": "10.0.0.0/8",
"type": "ALLOW",
"scope": "TENANT",
"label": "Corporate network"
}Programmatic Management
IP rules can also be managed via the API for automated incident response:
// Block an IP range programmatically after detecting an attack
await fetch('https://auth.yourdomain.com/api/ip-rules', {
method: 'POST',
headers: {
'Authorization': `Bearer ${adminToken}`,
'Content-Type': 'application/json',
'x-tenant': 'your-tenant',
},
body: JSON.stringify({
cidr: '192.0.2.0/24',
type: 'BLOCK',
scope: 'TENANT',
label: 'Automated block - rate limit exceeded',
isTemporary: true,
expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
}),
})CIDR Quick Reference
| Notation | Addresses | Example |
|---|---|---|
/32 | 1 (single IP) | 203.0.113.42/32 |
/24 | 256 | 203.0.113.0/24 |
/16 | 65,536 | 203.0.0.0/16 |
/8 | 16,777,216 | 10.0.0.0/8 |
Suspicious Login Detection
After a user’s credentials are verified, Auris analyzes the login context for behavioral anomalies using five independent detectors.
Detection Methods
1. New Device
A fingerprint hash is computed from browser user agent, screen resolution, and other stable signals. First-time devices are flagged. The fingerprint is recorded after successful login for future comparison.
2. New IP Address
Auris tracks the IP addresses a user has previously logged in from. A login from an IP not seen for this account triggers the detector.
3. New Country
GeoIP lookup determines the country of the login IP. A country not previously seen in the user’s login history triggers the detector.
4. Impossible Travel
The geographic distance between the current and most recent login is divided by the elapsed time to compute implied travel speed. If the speed exceeds the configured threshold (default: 800 km/h), the login is flagged as impossible travel.
5. VPN / Proxy / Datacenter
GeoIP metadata identifies IPs belonging to known VPN providers, proxies, or cloud datacenters. These are flagged by default but can be allowed for organizations whose users commonly use VPNs.
Configuring Actions
Each detector can be configured independently with one of four actions:
| Action | Effect |
|---|---|
log | Record the event in audit logs only. No user impact. |
notify | Send a notification email to the user. Login proceeds. |
block | Reject the login entirely. The user must contact an administrator. |
require_mfa | Allow the login but force MFA completion, even if MFA is not normally required for this user. |
Configure via Console -> Settings -> Suspicious Login Detection:
| Detector | Recommended Action | Notes |
|---|---|---|
| New device | notify | Alert the user, but do not block — new devices are common |
| New IP | log | Most users have dynamic IPs. Blocking would be too aggressive. |
| New country | require_mfa | Strong signal of compromise. Force MFA verification. |
| Impossible travel | block | Very strong signal. Block and alert. |
| VPN/proxy | log | Depends on your user base. Block if VPN use is not expected. |
GeoIP Provider
| Provider | Configuration | Latency | Privacy |
|---|---|---|---|
| ip-api.com (default) | No setup required | 50-200ms per login (external API call) | IPs sent to third-party service |
| MaxMind GeoLite2 | GEO_IP_PROVIDER=maxmind, MAXMIND_DB_PATH=/path/to/db | <1ms (local file lookup) | No external calls |
For production deployments with high login volume, use the MaxMind local database to avoid rate limits on the ip-api.com free tier and to eliminate external API dependency. A free MaxMind account is required to download the GeoLite2 database.
Reviewing Events
Suspicious login events are visible in Console -> Settings -> Suspicious Login Detection -> Events. Each event shows:
- User email and ID
- Detection reason (new device, impossible travel, etc.)
- Severity (low, medium, high)
- Action taken (logged, notified, blocked, MFA required)
- IP address, country, and device information
- Timestamp
Administrators can mark events as reviewed to track investigation status.
CAPTCHA
CAPTCHA protects login, signup, and password reset pages from automated bots. Auris supports three providers and three trigger modes.
Supported Providers
| Provider | Type | Setup |
|---|---|---|
| Cloudflare Turnstile | Proof-of-work, no image challenges | dash.cloudflare.com -> Turnstile -> Add Site |
| hCaptcha | Image-based challenges | dashboard.hcaptcha.com |
| reCAPTCHA v3 | Score-based, invisible | www.google.com/recaptcha |
Cloudflare Turnstile is recommended for most deployments. It provides strong bot protection without image challenges (better user experience) and has a generous free tier.
Trigger Modes
| Mode | When CAPTCHA Appears | Best For |
|---|---|---|
ALWAYS | Every login, signup, and password reset attempt | High-security environments |
ON_SUSPICIOUS | When the adaptive MFA risk score exceeds the configured threshold | Balanced security and UX |
AFTER_FAILURES | After N consecutive failed login attempts from the same IP | Minimal friction for legitimate users |
Setup Steps
Choose a Provider
Select your CAPTCHA provider in Console -> Settings -> CAPTCHA.
Configure Keys
Enter the Site Key (used in the browser to render the CAPTCHA widget) and Secret Key (used server-side to verify responses) from your provider’s dashboard.
Set the Trigger Mode
Choose when CAPTCHA should appear:
- For
AFTER_FAILURES, set the failure threshold (e.g., 3 consecutive failures) - For
ON_SUSPICIOUS, the threshold is derived from the adaptive MFA risk score
Set Score Threshold (reCAPTCHA v3 only)
reCAPTCHA v3 returns a score between 0.0 (likely bot) and 1.0 (likely human). Set the minimum score threshold for passing verification (recommended: 0.5).
Enable on Pages
Toggle which pages require CAPTCHA:
- Login page (recommended)
- Signup page (recommended)
- Password reset page (optional)
CAPTCHA verification is performed server-side on the Auris API before credentials are checked. Even if a client bypasses the CAPTCHA widget in the browser, the login request will fail without a valid verification token from the CAPTCHA provider.
The Complete Login Security Pipeline
When a user attempts to log in, the request passes through all protection layers in sequence. Each layer can short-circuit the pipeline:
Incoming login request
|
v
1. IP Allow/Block Check
BLOCK rule matched? --> HTTP 403, stop
|
v
2. CAPTCHA Verification (if configured)
Invalid or missing token? --> HTTP 400, stop
|
v
3. Rate Limiting
Per-IP or per-user limit exceeded? --> HTTP 429, stop
|
v
4. Brute-Force Lockout Check
Account or IP locked? --> HTTP 423, stop
|
v
5. Keycloak Authentication
Invalid credentials? --> record failure, HTTP 401, stop
|
v
6. Suspicious Login Analysis
Run 5 detectors, execute configured actions
Action = block? --> HTTP 403, stop
Action = require_mfa? --> force MFA step
|
v
7. Adaptive MFA Risk Scoring
5-factor weighted score
Score above threshold? --> require MFA step-up
|
v
8. Token Issuance
Set ACR/AMR claims
Return access token + refresh tokenSteps 1-4 are fast, synchronous checks that filter out obviously malicious traffic before reaching the more expensive authentication and analysis steps.
Best Practices for Production
-
Start with logging: Enable all suspicious login detectors in
logmode first. Review events for a week to understand your baseline before switching toblockorrequire_mfa. -
Use temporary IP blocks: During an active attack, create temporary BLOCK rules with a 24-48 hour expiry rather than permanent blocks. This prevents accidental long-term lockouts.
-
Layer CAPTCHA with rate limiting: Use
AFTER_FAILUREStrigger mode so legitimate users never see CAPTCHA, while attackers hit it after 3-5 failed attempts. -
Deploy MaxMind locally: For deployments handling more than 1000 logins per hour, switch from ip-api.com to MaxMind GeoLite2 to avoid external API rate limits and reduce latency.
-
Monitor the pipeline: Review audit logs regularly for patterns. A sudden spike in
impossible_travelornew_countrydetections may indicate a credential stuffing attack. -
Combine with MFA: Threat protection works best alongside Multi-Factor Authentication. Enable MFA for all users and use suspicious login detection to trigger step-up auth for anomalous logins.
API Endpoints
/api/ip-rulesRequires: manage:usersList all IP rules for the tenant. Supports filtering by type, scope, and active status.
/api/ip-rulesRequires: manage:usersCreate a new IP allow or block rule.
/api/ip-rules/:idRequires: manage:usersUpdate an existing IP rule (change label, extend expiry, toggle active status).
/api/ip-rules/:idRequires: manage:usersDelete an IP rule.
/api/suspicious-login/eventsRequires: manage:usersList suspicious login events. Filterable by severity, reason, user, and date range.
/api/suspicious-login/events/:id/reviewRequires: manage:usersMark a suspicious login event as reviewed.
/api/suspicious-login/configRequires: manage:usersGet the current suspicious login detection configuration.
/api/suspicious-login/configRequires: manage:usersUpdate suspicious login detection settings (enable/disable detectors, set actions, configure thresholds).
/api/captcha/configRequires: manage:usersGet the current CAPTCHA configuration.
/api/captcha/configRequires: manage:usersUpdate CAPTCHA settings (provider, keys, trigger mode, score threshold).
Required Permissions
| Operation | Permission |
|---|---|
| Manage IP rules | manage:users |
| View/review suspicious login events | manage:users |
| Configure suspicious login detection | manage:users |
| Configure CAPTCHA | manage:users |
| Configure security settings (Console) | Tenant OWNER or ADMIN only |
Related Guides
- Attack Protection — Rate limiting, brute-force lockout, password security, and the full pipeline reference
- Multi-Factor Authentication — TOTP, SMS OTP, WebAuthn, and adaptive MFA
- Implementing DPoP — Token binding to prevent token theft
- Session Management — Managing user sessions and session policies