Niklas Gustavsson wrote:
Dave Roberts wrote:
John Garrould wrote:
Is there a way to configure the server so that malicious users cannot
try multiple log-in attempts without reconnecting? Ideally I would
like to be able to configure the connection to be dropped after 3
invalid attempts at the password.
I don't believe this is currently configurable. Niklas or Rana can
correct me if I'm wrong about this.
You're correct, it is not currently possible to set. However, I think
it's a very good idea, even to have a default value that kicks a user
after a certain number of login attempts. I've created a JIRA issue to
track this and will have a look at fixing it within the next couple days.
https://issues.apache.org/jira/browse/FTPSERVER-94
Sorry fir taking such a long time on completing this. However, now it's
done. I've added two new configurations:
config.connection-manager.max-login-failures
The number of failed logins before a session is disconnected. Set to 3
by default, set to 0 to allow infinite number of attempts
config.connection-manager.login-failure-delay
A timed delay after a failed login attempt. Set to 500 ms by default.
Makes brute force password attacks harder.
Please tell me if this solves your troubles!
/niklas
