If you have a webinterface that you make available to your customers, you may notice problems when customers log in with wrong credentials repeatedly. The server is equipped with a bruteforce protection for the query interface. This is designed to prevent guessing your query login passwords through repeated login attempts. This protection is enabled by default and bans the IP address of the offender if too many failed logins happen, regardless of whether the IP address is whitelisted or not.
Please note that when providing access through a common portal (eg. a webpage), this means that all access from the IP address is blocked. Regardless which query user attempts to log in from the IP address - it will be blocked, since the query interface rejects all connections from the IP address while it is banned.
If you however want to disable that, you can start the server with the "query_skipbruteforcecheck=1" parameter (since version 3.0.8). That will disable the protection and ignore failed login attempts from the same IP address as long as the IP address is whitelisted.
We advise to build in additional security measures (e.g. captchas and limits per user/ip) into the webinterface or front end in order to block attempts from clients with too many failed attempts. It may also be wise to not allow logins with administrative accounts (such as the serveradmin login) in order to prevent users abusing your web interface to guess the password and gain full access to your server instance.
You can add IP addresses or ranges to the whitelist by adding them to the query_ip_whitelist.txt (default name, can be changed). One IP address (range) per line, ranges need to be specified in CIDR notation. Changes to the whitelist file will take effect up to 10 minutes after the change, or after a server instance restart (whichever happens first).