John Garrould wrote:
> Is there a  way to configure the server so that malicious users cannot
> try multiple log-in attempts without reconnecting?  Ideally I would
> like to be able to configure the connection to be dropped after 3
> invalid attempts at the password.

I don't believe this is currently configurable.  Niklas or Rana can
correct me if I'm wrong about this.

> How do you recommend we protect the server against this form of attack?

Probably set up a counter in the FtpSession implementation, then
when a login fails, the PASS class can obtain the session through
the Connection class, decrement the number of tries remaining and
drop the connection if the number reaches zero.

Should be pretty straight forward.  You might want to have a try
yourself, if you feel up to it.

In the meantime, please raise a call in JIRA
(http://issues.apache.org/jira) so the issue can be tracked.

Reply via email to