I see this:
By default, there are rules added to the
DDPRateLimiterthat rate limit logins, new user registration and password reset calls to a limit of 5 requests per 10 seconds per session. These are a basic solution to dictionary attacks where a malicious user attempts to guess the passwords of legitimate users by attempting all possible passwords.
These rate limiting rules can be removed by calling
Accounts.removeDefaultRateLimit(). Please see the
DDPRateLimiterdocs for more information.
Has anyone ever setup a basic lockout after X login attempts?