Niklas Gustavsson wrote:
Dave Roberts wrote:
John Garrould wrote:
Is there a  way to configure the server so that malicious users cannot
try multiple log-in attempts without reconnecting?  Ideally I would
like to be able to configure the connection to be dropped after 3
invalid attempts at the password.

I don't believe this is currently configurable.  Niklas or Rana can
correct me if I'm wrong about this.

You're correct, it is not currently possible to set. However, I think it's a very good idea, even to have a default value that kicks a user after a certain number of login attempts. I've created a JIRA issue to track this and will have a look at fixing it within the next couple days.

https://issues.apache.org/jira/browse/FTPSERVER-94

Sorry fir taking such a long time on completing this. However, now it's done. I've added two new configurations:
config.connection-manager.max-login-failures

The number of failed logins before a session is disconnected. Set to 3 by default, set to 0 to allow infinite number of attempts

config.connection-manager.login-failure-delay

A timed delay after a failed login attempt. Set to 500 ms by default. Makes brute force password attacks harder.

Please tell me if this solves your troubles!

/niklas

Reply via email to