How do I find the cause of the Brute Force detection blocking access from a specific IP?
If you’re getting the error message: You are currently not allowed to log in because you had too many failed logins, try again later.
The likely cause is failed login attempts via the Matomo Login page.
However, it may be helpful to determine which user (If any) caused a specific IP address to get blocked.
This can be done by checking the Activity Log in Matomo under Administration > Diagnostic > Activity log
However, the brute force detection can also be triggered by API requests with an incorrect or invalid token_auth
These failed requests will not be shown in the Activity Log, instead we will need to check the Matomo application log for further information.
First we need to make sure that logging is enabled: How do I enable logging in Matomo?
Next we can check our Matomo logs.
For example, failed API requests that subsequently trigger the Brute Force detection block will be shown in the logs as follows:
ERROR API[DATE TIME UTC] Uncaught exception in API: You can't access this resource as it requires 'view' access for the website id = 1. /path/to/matomo/core/Access.php:758
ERROR Matomo\ExceptionHandler[DATE TIME UTC] Uncaught exception: /path/to/matomo/core/Access.php/plugins/Login/Login.php(118): You are currently not allowed to log in because you had too many failed logins, try again later.
ERROR Matomo\ExceptionHandler[DATE TIME UTC] You are currently not allowed to log in because you had too many failed logins, try again later.
However, if these requests are being spaced out over time (For example one request every few minutes) then it may be more challenging to find the cause in the Matomo Logs.
The list of currently blocked IPs can be found in the Brute Force Log found in Administration > Diagnostic > Brute Force Log
. There you will see a list of IPs that have been blocked and will be able to unblock them if necessary, for example:
However once the IP has been unblocked either through the Brute Force Log, the Login Settings menu, by adding the IP to the config.ini.php
or by waiting for the block to be removed after some time it will be removed from this list.
If the IP is no longer showing in the Brute Force Log, we can then check the matomo_brute_force_log
table in the Matomo database to see a list of failed login attempts. This can be done with the following SQL query:
SELECT * FROM matomo_brute_force_log;
If you need to restore access from a blocked IP or to disable Brute Force detection, please see our FAQ here: How do I disable brute force authentication security checks for specific IP addresses?