Preventing Connection After Failed Login Attempts

Prevent a user from connecting after exceeding the maximum failed login attempts.

Prerequisites

Requires the MANAGE ANY LOGIN POLICY system privilege to create or alter the login policy.
Requires the MANAGE ANY USER system privilege to assign the login policy to users.

Task

The system can be set to automatically lock an account if a user fails to enter valid login credentials after a specified number of attempts. Once locked, the user cannot connect, even if valid credentials are subsequently entered; the account remains locked until it is manually unlocked. The MAX_FAILED_LOGIN_ATTEMPTS login policy option controls the number of sequential failed attempts before the user account is locked. You can set this value in a new or existing login policy, including the root login policy, and it then applies to all users assigned the login policy.

To set the MAX_FAILED_LOGIN_ATTEMPTS option, either create a new login policy, or modify an existing one.
Define a value for the MAX_FAILED_LOGIN_ATTEMPTS option.
Assign the login policy to applicable users, as needed.

Example

This example creates a new login policy named lp, which automatically locks a user account after five failed attempts:

CREATE LOGIN POLICY lp max_failed_login_attempts=5

This example modifies an existing login policy named exist_lp which automatically locks a user. account after five failed attempts:

ALTER LOGIN POLICY lp max_failed_login_attempts=5

This example assigns the login policy lp to user John:

ALTER USER John LOGIN POLICY lp

Once John is assigned the lp login policy, he cannot log in if he enters invalid credentials five times in sequence.