Security

 

The following settings are available in this menu:

  • Server public address template (Added support for external load balancer for ISL Conference Proxy)
  • Use single public address in GRID (This option has to be enabled to use external load balancer for ISL Conference Proxy, make sure you also set Server public address template (above) and have correct settings in DNS Server Zones tab.)
  • Do not use service public addresses for web pages
  • Alternate (for CDN)  addresses for web pages (Enter alternate addresses of web pages used by Content delivery network)
  • Alternate (for CDN) addresses for other services (Enter alternate addresses for services used by Content delivery network)
  • Allow X-Forwarded-For header (for CDN) for IP ranges
  • Record client IPs (Enable to record client IP addresses)
  • Max recorded client IPs to hold in memory (Number of IP addresses stored)
  • Save recorded client IPs interval in seconds
  • Disable automatic SSL usage on web pages (enable/disable automatic usage of SSL on web pages)
  • Force SSL for all user web pages (enable/disable forcing SSL for user web pages)
  • Use SSL only for login on user web pages
  • Blocked file extensions for user upload (.exe ...): (block files of specified type from being uploaded trough modules that support file uploads and download (e.g. ISL Groop, ISL Pronto, ISL AlwaysOn))
  • Allowed file extensions for user upload (.txt ...): (allow only files of specified type from being uploaded trough modules that support file uploads and download (e.g. ISL Groop, ISL Pronto, ISL AlwaysOn))

Note:

Settings for Blocked file extensions and Allowed file extensions work in combination as follows

  • If allowed file extensions are specified then they act as a "whitelist" meaning that only allowed file extensions can be uploaded. 
  • If the same file extension is specified as Allowed and Blocked at the same time then you will not be able to upload it.
  • If allowed file extensions are not specified then Blocked file extensions act as a "blacklist" meaning you will not be able to upload the specified types of files.
  • Allow inline download of untrusted files (MIME type regex ...): (set which files can be downloaded inline - they will be shown in browser and not directly downloaded. Be careful with adding new file types as they can pose a security risk. e.g. .svg files can contain hidden javascript.) Default syntax below allows text and image files (jpeg,png,gif and webp) to be downloaded inline:
image/(jpeg|png|gif|webp)
text/plain
  • Hide server version in HTTP response and SMTP headers (allow/deny server version to be shown in HTTP response and SMTP headers when sending emails)
  • Disable autocomplete for web login forms (Disable autocomplete function for forms on login pages)
  • Do not cache encrypted web pages to disk (Enable/disable caching of encrypted web pages to disk)
  • Hide account status when performing forgotten password procedure (When forgotten password procedure is triggered, the server will not show if the email entered has an account registered to it - avoids email enumeration, but reduces amount of user feedback)
  • Allow sending forgotten password emails to unregistered email accounts (Allow sending forgotten password emails to addresses not registered with ISL Online account)
  • Allow sending emails by authenticated user (Set if registered user can send emails)
  • Record client address in SMTP headers (client's IP address is added to SMTP header when sending an email)
  • Enable insecure redirect handler (backwards compatibility only)
  • Disable framing of web pages (When true (default) ICP will set X-Frame-Options : SAMEORIGIN  for security reasons preventing ICP to be used in html frames.)
  • Force SSL for WebSockets (enable/disable forcing SSL for WebSockets)
  • Force SSL for WEBAPI (enable/disable forcing SSL for WEBAPI)
  • Force SSL for WEBAPI2 (enable/disable forcing SSL for WEBAPI2)
  • Filters that define access to webapi2 (Define filters for accessing webapi2 and web pages.) Example of filter syntax:
[user_id=s-1_0_0|path=/users/isllight]

allow_ip 1.2.3.0/24;

[/users/isllight]

[/users]

allow_ip 1.2.3.0/24;


Note: In the example above -> user web pages can be accessed only from 1.2.3.0/24. ISL Light cannot be accessed by anyone except user with id s-1_0_0 in 1.2.3.0/24

#[ip 172.16.120.180]

#filter deny_method utils/counters/query;

#filter deny_user s20_1_1
  • Filters that define access to web pages (Specify filters that restrict access to webpages served by ISL Conference Proxy. Filters based on geolocation and user agents (browsers) are now supported as well.) Examples of filter syntax: (Note: Browser (User Agent) has to be url encoded)
#Deny access to /user/main/login.html page for specific IP's
[/users/main/login.html]
allow_ip 1.2.3.0/24;
allow_ip 172.16.1.0/24;
allow_ip 172.16.99.0/24;

#Deny access to /users/main/downloads.html for users from Slovenia (country code SI)
[/users/main/downloads.html]
filter deny_geoipcc SI

#Deny access to /users/main/downloads.html for users using Google Chrome
#Make sure to put allow_all flag at the end to allow other UAs besides Chrome to access the website
[/users/main/downloads.html]
deny_ua Mozilla%2F5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F71.0.3578.98%20Safari%2F537.36
allow_all
  • SSL DH parameters minimum bits (minimal number of bit for parameters in Diffie-Helman key exchange to negotiate a symmetric key)
  • SSL client initiated renegotiation (controls whether a connecting client is allowed to initiate an SSL renegotiation on the server or not)
  • TLS ticket refresh interval in seconds (set interval after which TLS session ticket is refreshed and a fresh handshake is required)
  • User privileges settings (set which users have the permission to attach and resume sessions)
#Default values, "star" means that all users have that permission
#Replace "star" with username if you want to limit the permission to a specific user
[light_session]
star:resume
star:attach
  • User is Domain Admin (set if user is administrator of domain and if the override of this setting is possible on per-user or per-domain basis)
  • User can create, edit and delete users if he is Domain Admin (if user is domain admin can he edit and delete other users in the domain)
  • User can create, edit and delete user groups if he is Domain Admin (if user is domain admin can he edit and delete user groups in the domain)
  • User can view list of domains on server (specifies whether users can view a list of their own domains on the server)
  • User can view list of users in own domain (specifies whether users can view other users in the domain)
  • User can view list of users on server (specifies whether users can view a list of other users who have access to the server)
  • User can view own sessions (specifies whether users can view their own sessions)
  • User can control own sessions (specifies whether users can terminate their own sessions)
  • User can view sessions in domain (specifies whether users can view sessions within their domains)
  • User can control sessions in domain (specifies whether users can terminate any sessions within their domains)
  • User can view all sessions on server (specifies whether users can view all sessions on server)
  • User can control all sessions on server (specifies whether users can terminate any sessions on server)
  • User can create group hierarchy [unsupported preview] (user can create group hierarchy by adding group to another group)
  • User can create groups (is user allowed to create groups)
  • User can edit groups (is user allowed to edit groups)
  • User can delete groups (is user allowed to delete groups)
  • View network status in /network_status (specifies whether users can view network status at /network_status)
  • Enable system information in /sysinfo (specifies whether to enable system information in /sysinfo)
  • Enable public file list in /files (backward compatibility) (If enabled, the files placed placed in public storage will be listed at <server_address>/files)
  • Allow stress test (Allow the stress test to be performed)
  • User can change full name (specifies whether users can change full names)
  • User can change e-mail (specifies whether users can change e-mail addresses)
  • User can change nickname (specifies whether users can change nicknames)
  • User can change password (specifies whether users can change passwords)
  • User can change time zone (specifies whether users can change time zones)
  • Store last used language in account (specifies whether to save the last used language in account)
  • Mail template for forgotten password (Customize template for email sent when user forgets his or hers password)
  • Mail template for forgotten password (backwards compatibility v1) (Mail template for forgotten password used for backwards compatibility)
  • Forgot password e-mail token expiry in seconds (Expiry time for forgotten password toke, if the password isn't changed in this time, a new password has to be requested again)
  • Valid password format (regex) (use this option to specify a valid password format using a regular expression)

When user enters a new password it has to match the regex you specified in ISL Conference Proxy. 

Example

^(?=.*[A-Z].*[A-Z])(?=.*[!@#$&*])(?=.*[0-9].*[0-9])(?=.*[a-z].*[a-z].*[a-z]).{8,}$

The regex above requires the user password to be in the following form:

  • 8 characters length
  • 2 letters in Upper Case
  • 1 Special Character (!@#$&*)
  • 2 numerals (0-9)
  • 3 letters in Lower Case 

Explanation:

  • ^                             Start anchor
  •  (?=.*[A-Z].*[A-Z])           Ensure string has two uppercase letters.
  •  (?=.*[!@#$&*])               Ensure string has one special case letter.
  •  (?=.*[0-9].*[0-9])           Ensure string has two digits.
  •  (?=.*[a-z].*[a-z].*[a-z])    Ensure string has three lowercase letters.
  •  .{8,}                        Ensure string is at least of length 8.
  •  $                            End anchor. 

More regex information and tutorials can be found here: https://regexone.com/. 

  • Invalid password error (use this option to modify the invalid password error notification)
  • Valid e-mail format (regex) (use this option to specify a valid e-mail format using a regular expression)
  • Invalid e-mail error (use this option to modify the invalid e-mail error notification)
  • Error message for disabled module (Use this option if you wish to show an error message when using disabled mode)
  • License specification
  • Application MUX SSL test port (set a designated port which can be used by testing tools (e.g. sslscan) to scan for which protocols and ciphers are used by ICP)
  • Application MUX SSL protocol (list SSL protocols that should be enabled on the server side. Most secure protocol shared by client and server will be used)
  • Application MUX SSL cipher suite (list SSL cipher suites that should be used by the server. Most secure cipher shared by client and server will be used)

Note: Please be very careful when changing the MUX SSL settings. Default values are selected to offer maximum security and usability. By changing this settings your service can be severely degraded (security issues, connections not being established...) 

  • HTTP proxy for web client (you can use this option to specify a web proxy that should be used by ISL Conference Proxy, the syntax is proxyaddress:proxyport or username:password@proxyaddress:proxyport if you need to specify a username and a password for your web proxy)
  • Do not use HTTP proxy for addresses (if you set the option above, you can use this setting to specify the addresses where a web proxy should not be used; use commas to separate the addresses)
  • Administrator account whitelist (user IDs): (If the list is empty then whitelist is disabled and any account that is marked as Administrator can log into configuration pages. For additional security overview you can specify user IDs here and they will act as a whitelist, meaning that only Administrator accounts that are listed here can log into configuration pages. This setting comes in handy, for example, when you have a large number of users and want to make sure that no account was given Administrator access by accident.)
  • Allowed IP addresses for administration (By default, you can only access ISL Conference Proxy administration from a local machine - you can specify allowed IP addresses in two ways, either list the IP addresses separated with commas or specify an allowed subnet, e.g. 192.168.0.1/255.255.255.0.)
  • Must use SSL for administration (set to Yes to allow only SSL encrypted access to ISL Conference Proxy administration - note that you will need to use the appropriate https link for administration: https://localhost:7615/conf)
  • Allowed IP addresses for XMLMSG (use this option to set allowed IP addresses that can use the XMLMSG interface for ISL Conference Proxy administration)
  • Must use SSL for XMLMSG (set to Yes to allow only SSL encrypted access to ISL Conference Proxy administration through the XMLMSG interface - note that you will need to use the appropriate https link for administration: https://localhost:7615/xmlmsg)
  • Force networks to public internet address (use this option to override server's autodetect for internet/intranet)
  • Force networks to private intranet address (use this option to override server's autodetect for internet/intranet)
  • Internet Explorer plugin trusted sites (this setting is used when installing ISL WebStart from the server)
  • Enable email matching on authentication (enable users to also log in with their account e-mail address instead of their username)
  • Max accounts when authenticating with email matching (multiple users can have the same email and. When entering an email which matches multiple users the user matching is done based on password entered. This setting controls how many accounts can be matched by an email. If email matches more accounts than the limit specified here the user will be asked to enter his full name to log in.)
  • Maximum failed logins for user (default 5) - maximum number of failed attempts to log in as specific user. Applies for standard user accounts and administrative accounts (two separate counters).
  • Maximum failed logins for address (default 5) - maximum number of failed attempts to log in from a specific IP address. Applies for standard user accounts and administrative accounts (two separate counters).
    • Note: Throttling counters for normal and administrative accounts are separate, meaning that if you are being throttled when logging in as a standard user, you will still be able to log in with and administrative account from the same IP address.
  • Maximum failed logins period in seconds (default 60) - time period defined in seconds for limiting the above two rules.
  • GRID-wide maximum failed logins (default YES) - option to define whether above login settings are defined on whole GRID network
  • System hashed password scheme (Select the scheme for storing passwords and account settings  for services that don't require reversible storing scheme)
    • You can select between following options:
      • islhash1 - selected by default, most secure amongst the available options. It uses the following algorithm for encrypting passwords:
        • rounds = 10000
          
          salt = random_bytes(16)
          
          output = rounds + ':' + base64(salt) + ':' + base64(PKCS5_PBKDF2_HMAC(password, salt, rounds, sha512))
          
          verify = unbase64(output[2]) == PKCS5_PBKDF2_HMAC(password, unbase64(output[1]), output[0], sha512)
      • islstatic1 - Internal reversible password scheme - LESS SECURE
      • plain text - passwords are stored in plain text

Note: Passwords on ISL Conference Proxy were stored as plain text. With ISL Conference Proxy 4.1.0 new account and password resets use islhash1 scheme for encrpytion/hashing of passwords. User accounts and settings are no longer stored in plain text. Account created before updating to ISL Conference Proxy 4.1 will be still stored as plain text, password change is needed for all old accounts.

  • System reversible password scheme (Select the scheme for storing passwords and account settings for services that require reversible storing scheme)
    • You can select between following options:
      • islstatic1 - Internal reversible password scheme
      • plain text - passwords are stored in plain text
  • Login password scheme (Select scheme for hashing and storing login passwords)
    • You can select between following options:
      • islhash1 - selected by default, most secure amongst the available options.
      • islstatic1 - Internal reversible password scheme - LESS SECURE
      • plain text - passwords are stored in plain text
  • islhash1 salt size (Set the salt size in bytes, default value is 16)
  • islhash1 rounds (Set the number of rounds when hashing the passwords, default value is 10 000)

Possible problems when using islhash1 (PBKDF2):

ISL Light Desk 3.2.1 or older cannot authenticate (3.2.2+ sends password correctly), if the user account has password stored with PBKDF2 scheme, change scheme to plain/reversible and set the password again

ISL AlwaysOn: light::web_session was committed in https://fisheye.islonline.com/changelog/ISL?cs=14670, ISL AlwaysOn Connect 1.2.0 is required for normal operation (uses web session id), 1.1.0 or older will ask for password and won't connect automatically.

ISL Pronto: latest build of module (2.2.1beta48+) is required for normal operation, otherwise ISL Light Desk will ask for password and won't connect automatically

Other important info:

Latest ISL Conference Proxy (4.0.3beta1+), will automatically start using islhash1 scheme for all new accounts or password resets. However, you must use ISL Pronto module 2.2.1beta48+, otherwise ISLCP will keep default mode as plain text!

Latest ISL AlwaysOn module (2.2.3beta7+) is required, if you wish to support users with ISL AlwaysOn Connect 1.1.0 or older and using reversible encryption for passwords (islstatic1)

  • Require signature for Online update (Check validity of index.xml and software_policy.xml downloaded from http://www.islonline.com/system/updates when determining which updates are available. If this is disabled it is possible to trick ISL Conference Proxy to download third party files, but ISL Conference Proxy will reject them once they are downloaded as all update files are signed.)
  • Require signature for Manual update (Check validity of index.xml and software_policy.xml stored localy when determining which updates are available during a Manual upadte. If this is disabled it is possible to trick ISL Conference Proxy to download third party files, but ISL Conference Proxy will reject them once they are downloaded as all the update files are signed.)
  • Open URL after logout (specify a URL that opens when user logs out of his ICP account.)
  • Allow login without configured Two-Factor Authentication
  • External authenticator (use this option to specify an external authenticator for all users, you can use existing Microsoft Active Directory, Novell eDirectory, OpenLDAP, Radius or FreeRADIUS for user authentication)
  • External authenticator fail reason specification ([["regex", "html text"], ...]) (specify custom error messages displayed to user on login to reflect the real reason why external authenticator failed)

Example:

[
  ["^LDAP:.*: AcceptSecurityContext error, data (525|52e),", ""],
  ["^LDAP:.*: AcceptSecurityContext error, data 530,", {"__tr__":{"text":"Your account has time restrictions that keep you from signing in right now."}}],
  ["^LDAP:.*: AcceptSecurityContext error, data 532,", {"__tr__":{"text":"The password for this account has expired."}}],
  ["^LDAP:.*: AcceptSecurityContext error, data 533,", {"__tr__":{"text":"This user can't sign in because this account is currently disabled."}}],
  ["^LDAP:.*: AcceptSecurityContext error, data 701,", {"__tr__":{"text":"The user's account has expired."}}],
  ["^LDAP:.*: AcceptSecurityContext error, data 773,", {"__tr__":{"text":"The user's password must be changed before signing in."}}],
  ["^LDAP:.*: AcceptSecurityContext error, data 775,", {"__tr__":{"text":"The referenced account is currently locked out and may not be logged on to."}}],
  ["^LDAP:.*: AcceptSecurityContext error, data ([0-9a-zA-Z]+),", {"__tr__":{"text":"Access is denied (<_arg _T=\"error_code\">0x\\1</_arg>)."}}],
  ["^LDAP:.*: Group not found", {"__tr__":{"text":"Access is denied."}}]
]

Html text shown as a response is selected by matching the regex against the error returned by the external authenticator. Default example matches the error response codes returned by LDAP. To learn more about common LDAP errors please refer to: Common Active Directory LDAP errors

  • External authenticator login settings rules ([[rule...], ...])

Settings were added to configure mapping of external group membership information to ISL Conference Proxy user account settings. Setting is a JSON array of rules "[rule, ...]" executed one by one sequentially. The rules are executed when the user logs in. Available rules:

["key", "KEY", "VALUE"] - set KEY=VALUE
["in-group", "GROUPEXPR", ...] - conditionally execute ... if the user is in GROUPEXPR
["key-group-list", "KEY", "GROUPEXPR_PREFIX"] - set KEY=vector of groups
["key-group-list-comma", "KEY", "GROUPEXPR_PREFIX"] - set KEY=comma separated list of groups

GROUPEXPR: list of tag:attribute:value
GROUPEXPR_PREFIX: prefix filter, usually set to tag:attribute:

#Example 
#Users from groups "ISL-admins" and "ISL-limited" have ISL Light enabled, other users do not.
[ 
["key", "light::enabled", "0"],
["in-group", "allgroups:cn:ISL-admins", "key", "light::enabled", "1"],
["in-group", "allgroups:cn:ISL-limited", "key", "light::enabled", "1"] 
]
  • External authenticator allows empty passwords (default value: no, added support for preventing empty password being passed on to external authenticator) (specify if external authenticator allows empty passwords)
  • External authenticator backend error reports 
  • One time passwords (Set to allow one time passwords for login) (can one time passwords be used)
  • External dialog authenticator  (which dialog is used for authenticator. Deafult value is $core_login, meaning that the same dialog is used as for cor login module of ICP)
  • External dialog authenticator step timeout in seconds (timeout for external authenticator step)
  • Allow legacy login without 2FA support (without external dialog authenticator) (is login allowed without 2 factor authentication)
  • Enable single sign-on SAML (enable single sign-on functionality. While this is enabled the normal login (with ICP users) will not work, all logins will be done via single sign-on)
  • SAML service provider PEM cert file (path to PEM cert file used by ICP to communicate with identity provider. File should be uploaded to ICP's private storage. Path to files in private storage should be given as objects/<filename>)
  • SAML service provider PEM key file  (path to PEM key file used by ICP to communicate with identity provider. File should be uploaded to ICP's private storage. Path to files in private storage should be given as objects/<filename>)
  • SAML service provider PEM key file passphrase (passphrase for unlocking the PEM key file)
  • SAML identity provider XML metadata file (XML metadata file from your Identity provider used to negotiate SAML communication with ICP)
  • SAML authenticate on every login (by default when you log out of ICP account your session with Identity provider stays active, meaning that next time you click "Log in" in the ICP you won't have to re-enter the credentials. Set this to yes to always require the user to enter the credentials when logging into ICP.)
  • SAML login settings rules ([[rule...], ...]) (SAML rules specify how authentication information obtained via SAML is mapped to ICP's variables and which variables should be set when Single sign-on authentication is performed.) Example rules for integrating with AD FS Identity provider look like this:
[
["key", "domain", "sso"]
,["key-from-attr", "username", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
,["key", "user_profile::password", "0"]
,["key-from-attr", "realname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
,["key", "user_profile::name", "0"]
,["key-from-attr", "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
,["key", "user_profile::email", "0"]
,["groups-from-attr", "http://schemas.xmlsoap.org/claims/Group"]
]

Each rule begins either with "key","key-from-attr" or "groups-from-attr".

Rules with the "key" attribute specify that the middle parameter is set to the value in the last field. In the example above the "domain" is set to "sso", meaning that users that log in via Single sign-on will be added to the sso domain. Additionaly parameters user_profile::password, user_profile::name, user_profile::email are all set to 0, meaning that user that signs in via Single sign-on will not be able to change his username, password and email inside ICP as this does not make sense.

Rules with "key-from-attr" and "groups-from-attr" sets the value of the middle parameter to the value obtained from the specified attribute. Attributes are specified by your Identity Provider. In the example above the attributes are used to set username, realname, email and group for a user when Single sign-on is performed. Values are obtained via SAML from Identity Provider.

  • Force application web login
  • Authenticode tool (select which tool is used for code code signing)
  • Use authenticode from license (set whether code signing should be done from license or from certificate file)
  • Use authenticode packed parameters (BASE64) (the input expects base64 encoded authenticode license key. This setting overrides other authenticode settings including the setting defined in license)

Note: Software downloaded from ISL Conference Proxy is by default now signed with two different certificates (SHA-1 & SHA-2) to follow latest security standards and at the same time enable backwards compatibility for systems that only support SHA-1 signatures. The options below are duplicated, first set of settings enable you to set up your own SHA-2 certificate, and [compat] settings  enable you to set up your own SHA-1 certificate.

  • Authenticode enabled (use this option to enable/disable authenticode - code signing for all executables downloaded from the server)
  • Authenticode hash function (select hash algorithm used by authenticode, you can select between MD5, SHA1, SHA256 , SHA384 and SHA512. Default value: Autodetect)
  • Authenticode publisher certificate file(PKCS#7) (use this option to set the certificate file - in DER PKCS#7 format)
  • Authenticode private key file (PEM) (use this option to set the private key file)
  • Authenticode private key passphrase (use this option to set the private key passphrase in case you use an encrypted private key)
  • Authenticode enabled [compat] (use this option to enable/disable authenticode - code signing for all executables downloaded from the server)
  • Authenticode hash function [compat] (select hash algorithm used by authenticode, you can select between MD5, SHA1, SHA256 , SHA384 and SHA512. Default value: Autodetect)
  • Authenticode publisher certificate file [compat] (PKCS#7) (use this option to set the certificate file - in DER PKCS#7 format)
  • Authenticode private key file [compat] (PEM) (use this option to set the private key file)
  • Authenticode private key passphrase [compat] (use this option to set the private key passphrase in case you use an encrypted private key)
  • reCAPTCHA v3 required (require reCAPTCHA v3 on login pages)
    • reCAPTCHA v3 can not prevent the user from proceeding forward. When reCAPTCHA v3 is enabled and user opens your webpage, the request is evaluated by Google and a probability of user being a legitimate user is returned. You have to specify your own way of allowing/denying requests based on this value. 
  • reCAPTCHA v3 site key (enter site key you received when registering captcha v3)
  • reCAPTCHA v3 secret key (enter secret key your received when registering captcha v3) 
  • reCAPTCHA v2 required (require reCAPTCHA v2 on login pages - works independently of reCAPTCHA v3)
    • reCAPTCHA v2 has two modes of operation and can prevent the user from proceeding forward. When registering reCAPTCHA v2 for your website you have to select the Invisible option for reCAPTCHA v2 to work correctly with ICP as described in this topic: reCAPTCHA.
    • If reCAPTCHA v2 works independently of reCAPTCHA v3  (reCAPTCHA v2 required only when v3 score is less setting is disabled), then user will either be let trough or shown a validation window where he will have to recognize images to prove that he is human.
    • If reCAPTCHA v2 works in combination with reCAPTCHA v3 (reCAPTCHA v2 required only when v3 score is less setting is disabled), then user will be either let trough or shown the "I'm not a robot checkbox" depending on the value returned by reCAPTCHA v3.
  • reCAPTCHA v2 required only when v3 score is less: (Only trigger reCAPTCHA v2 validation if the score returned by reCAPTCHA v3 is smaller than specified value. Value specified should be in in the range 0 - 100 specifying the probability in percents. Usual score returned for a valid request by reCAPTCHA v3 is around 90)
  • reCAPTCHA v2 site key (enter site key you received when registering captcha v2)
  • reCAPTCHA v2 secret key (enter secret key you received when registering captcha v2)
  • reCAPTCHA maximum verify queue (0 for unlimited) (maximum number of captcha requests waiting in the queue to be authenticated by Google. When queue is full the new requests are denied. Usually the reason a queue would fill up is network issue between ICP and Google.)
  • reCAPTCHA verify response is ignored (user is allowed to login even with invalid captcha) (if user fails to solve captcha, is he still allowed to log in)
  • CAPTCHA fail 2 ban score (set the threshold score for captcha response. If response is lower than set value a fail2ban tag will be logged and you can use fail 2 ban or similar approach to block offending IP adresses.)

Was this article helpful?