Malicious users can attempt to breach security or affect system performance by attacking the login, forgotten password, and self-registration processes. You can configure system properties and security settings to help prevent these kinds of hacking and denial-of-service attacks.
By default any server that is exposed to the internet is indexed by search engines and available through search. If you are planning on opening up your Maximo server to internet access, you might choose to hide it from search engines by deploying a robots.txt file into your IBM® HTTP Server proxy or J2EE server.
Depending on your security settings, IP addresses are blocked when an attack is detected. You can view, add, and delete blocked IP addresses in the Manage Blocked IP Addresses window of the Users application.
Security can be configured to block an IP address when too many login, forgotten password, or self-registration attempts are made from the same address. For any blocking to occur, the mxe.sec.IPblock property must be set.
In addition, if the mxe.sec.IPblock.MatchBoth property is set, an IP address is blocked only if both the client host and the client address of the incoming request match the values in the LONGINBLOCK table.
If the number of failed logins or forgotten password attempts from the same IP address exceeds the value of the mxe.sec.IPblock.num property in the time that is specified by the mxe.sec.IPblock.sec property, the IP address is blocked.
Furthermore, if the number of concurrent forgotten password attempts exceeds the value of the mxe.sec.forgotpassword.maxsets property, an error occurs and the requesting IP address is blocked.
The number of failed logins is tracked by the reported number of web browser sessions. However, do not use the mxe.sec.IPblock.num property to try to control the number of user sessions or windows. Different web browsers report sessions differently, depending on the use of tabs, the browser version, and the operating system. Therefore, the number of browser sessions might not match the number of browser windows. Set the mxe.sec.IPblock.num property only for purposes of blocking intrusion attempts.
If the number of successive forgotten password attempts for a user exceeds the value that is specified in the Security Controls window of the Users application and the Security Groups application, the status of the user that is associated with the email address is set to BLOCKED.
If the number of concurrent self-registration attempts exceeds the value of the mxe.sec.addusers.maxsets property, an error occurs and the requesting IP address is blocked.
You can specify IP addresses that must not be blocked, for example, you can specify the IP address of servers that are used to balance the user load so that all users can access the Maximo system. To create a whitelist of IP addresses, in the mxe.sec.allowedIP property, specify a comma-delimited list of IP addresses that must not be blocked.