This page last changed on Jul 06, 2010 by alui.

If you have confluence administrator permissions, you can configure Confluence to impose a maximum number of repeated login attempts. After a given number of failed login attempts (the default is three) Confluence will display a Captcha form asking the user to enter a given word when attempting to log in again. This will prevent brute force attacks on the Confluence login screen.

Similarly, after three failed login attempts via the XML-RPC or SOAP API, an error message will be returned instructing the user to log in via the web interface. Captcha will automatically be activated when they attempt this login.

'Captcha' is the technical term for a test that can distinguish a human being from an automated agent such as a web spider or robot. You can read more about Captcha on Wikipedia.

When Captcha is activated, users will need to recognise a distorted picture of a word, and must type the word into a text field. This is easy for humans to do, but very difficult for computers.

Screenshot 1: Example of a Captcha test

By default, Captcha for failed logins is enabled and the number of failed login attempts is set to three. You can disable Captcha for failed logins, or set the allowed number of failed login attempts.

To configure Captcha for failed logins in Confluence,

  1. Go to the Confluence 'Administration Console'. To do this:

    • Open the 'Browse' menu and select 'Confluence Admin'. The 'Administrator Access' login screen will be displayed.
    • Enter your password and click 'Confirm'. You will be temporarily logged into a secure session to access the 'Administration Console'.
  2. Select 'Security Configuration' from the 'Security' menu on the left.
  3. Click the 'Edit' button.
  4. Turn on Captcha by checking the 'Enable' checkbox next to 'CAPTCHA on login'.
  5. Set the maximum number of failed logins next to 'Maximum Authentication Attempts Allowed'. You must enter a number greater than zero.
  6. Click the 'Save' button.

Screenshot 2: Configuring Captcha for failed logins

RELATED TOPICS
Page: Excluding external referrers
Page: Adding SSL for Secure Logins and Page Security
Page: Hiding external referrers
Page: Managing External Referrers
Page: Ignoring External Referrers
Page: Hiding the People Directory
Page: Configuring Captcha for Spam Prevention
Page: Configuring the Administrator Contact Page
Page: Enabling or Disabling Public Signup
Page: Hiding External Links From Search Engines
Page: Configuring Captcha for Failed Logins
Page: User Email Visibility
Page: Anonymous Access to Remote API


LoginCaptcha.png (image/png)
captcha.png (image/png)
LoginCaptcha.png (image/png)
Document generated by Confluence on Jul 09, 2010 01:08