Skip to main content
Version: Pro Edition for Eclipse Mosquitto 3.1

Login Rate Limiting

note

This feature is only available in the enterprise version.

A security feature limiting the number of login attempts to Mosquitto MQTT Platform performed within a certain interval. Enabling this feature helps mitigate password bruteforce attacks. Rate limiting is enforced for every IP address that tries to perform a login.

Configuration

Rate Limit feature can be configured with the following environment variables:

  • RATE_LIMIT_ENABLE - specifies if rate limiter should be enabled. Set to 1 to enable and remove to disable. Note that setting this variable to 0 will not disable the feature, as values are treated as strings and checked for truthiness internally.
  • RATE_LIMIT_WINDOW_MS - an interval in milliseconds during which no more than RATE_LIMIT_MAX login attempts can be performed.
  • RATE_LIMIT_MAX - maximum number of attempts performed within RATE_LIMIT_WINDOW_MS interval. If this number is exceeded, rate limiting will be enforced and access temporarily blocked. In this case user will have to wait until the end of RATE_LIMIT_WINDOW_MS interval to be able to try again. The remaining number of seconds before rate limiting block is reset will be shown on the error page as part of the default error message if RATE_LIMIT_MESSAGE is not defined.
  • RATE_LIMIT_MESSAGE - a custom error message that will be shown when amount of login attempts is exceeded. Default value is: Please try again after X second(s).

Limitations

Rate limiter protects only the login page and not the sign-up page or API endpoints.