Skip to content
On this page

Configuring the Application-Level Intrusion Detection System

There are four settings in the [PRONTO_SECURITY] section of the ProntoConfig.ini configuration file that control the AlphaTrust® e-Sign IDS:

  • IPCheck: set to 1 to have all inbound requests checked to see if their IP address is listed on the dynamic block list, and deny access if it is. AlphaTrust® e-Sign adds IP addresses, as reported via HTTP headers, to a dynamic block list if improper requests are logged. This helps prevent URL guessing attacks such as trolling for valid document retrieval URLs.

    NOTE

    Be sure you are passing through the external user's IP address. If you are using a load balanced, proxy, or other web farm mechanism, then the proxy's address is usually passed to IIS. If the end user address is not being passed to AlphaTrust® e-Sign (you can check a signature audit trail report for a test transaction to see the recorded IP address), you must set a custom header at the proxy to pass the client's address so AlphaTrust® e-Sign can pick it up. Configure your proxy or load balancer to add a custom HTTP header to requests passed to AlphaTrust® e-Sign. You may choose any name for the header, but IPAddress is recommended. Set this header name for the ProntoClientIPHeaderName value. This value is located in the [PRONTO_MODE] section of ProntoConfig.ini.

  • IPBlockTime: number of minutes to block an IP address that submits bad requests.

  • IPBlockLimit: number of bad requests an IP can submit before being added to the dynamic block list.

  • IPBlockIfBadIP: set to 1 to block a request if no IP address is provided or a bad IP address (improper format) is submitted. 0 will allow these requests, therefore they will never be blocked. IPv4 and IPv6 addresses are supported.

  • UpdateAccountAuthData: set to 1 to have all AuthData values in the Account table (clear text account passwords) converted to hash values. The clear text AuthData field will be cleared. This process will run approximately every 5 minutes permitting manual updating of AuthData cleartext data, and then having the system automatically clear and hash this data for later authentication use.

  • AuthBlockTime: number of minutes to block a participant who reaches the bad login limit (see below). Valid values are 1 to 525600.

  • AuthPINPAsswordBadLoginLimit: the number of login attempts allowed for a participant requiring PIN/Password authentication before that participant is blocked. Valid values are 1 to 99.

  • AuthThirdPartyKBABadLoginLimit: the number of login attempts allowed for a participant requiring third party Knowledge-Based Authentication before that participant is blocked. Valid values are 1 to 99.

  • AuthRegisteredUserBadLoginLimit: the number of login attempts allowed for a registered user requiring access to a transaction or control panel login before that user is blocked. Valid values are 1 to 99.

  • DisableAutoCompleteOnLoginFields: if set to 1 login fields on the signer login page will not support autocomplete if the browser supports disabling of that feature

Default values for the [PRONTO_SECURITY] section:

IPCheck=1
IPBlockTime=15
IPBlockLimit=5
IPBlockIfBadIP=1
UpdateAccountAuthData=0
AuthBlockTime=30
AuthPINPasswordBadLoginLimit=5
AuthThirdPartyKBABadLoginLimit=5
AuthRegisteredUserBadLoginLimit=5
DisableAutoCompleteOnLoginFields=0
ValidDocumentSystemPaths=""
EnableMultifactorAuth=0
MultiFactorAuthExpireInDays=30
DisableHtmlDocumentType=0
JWTIssuer=Issuer
JWTAudience=Audience
JWTAccessExpiresInMinutes=5
JWTRefreshExpiresInMinutes=10080