Brute-force detection and auto-block

Goal: Understand how ePulz.io protects your account against password-guessing attacks.

Auto-blocking

After 5 failed login attempts from the same IP within 10 minutes, that IP is blocked for 30 minutes. The block extends progressively:

• 5 failures -> 30 min block
• 10 failures (cumulative) -> 4 h block
• 20 failures -> 24 h block
• 50+ failures -> permanent block (manual unlock required)

User-level lock

Independent of IP: after 10 failed logins on the same email within 1 hour, the account is locked for 1 hour regardless of IP. This prevents distributed brute force.

2FA bypass attempts

Failed 2FA codes count against the same limit as failed passwords. 5 wrong codes -> IP block.

Notifications

The account holder receives an email when:

• Account is auto-locked due to login attempts
• Login from a new country (GeoIP) - even if successful
• Password is changed
• 2FA is enabled / disabled

For admins

Admins see the global lockout list in the admin section, can manually unlock IPs or extend blocks.