[
https://issues.apache.org/jira/browse/JAMES-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15249361#comment-15249361
]
Bernd Waibel commented on JAMES-1723:
-------------------------------------
Currently (James 2.3.2) does not log the IP and user in the log file.
Only "AUTH method PLAIN failed" or "AUTH method LOGIN failed". Dito for
"succeded".
This is not enough, cause you could not find out "who" has tried to login, and
who often he/she did this.
So please consider to write the IP to the log.
(Currently, 2.3.2, implemented in AuthCmdHandler.)
e.g.
getLogger().error("AUTH method PLAIN failed for user " + user + "
from " + session.getRemoteIPAddress());
This is independend from fail2ban.
> Add protection from password bruteforcing
> -----------------------------------------
>
> Key: JAMES-1723
> URL: https://issues.apache.org/jira/browse/JAMES-1723
> Project: James Server
> Issue Type: New Feature
> Affects Versions: Trunk, 3.0-beta4, 3.0.0-beta5
> Reporter: Alexei Osipov
>
> Right now James has no mechanisms of protection against password forcing.
> For example, it's possible to connect to James via SMTP and execute AUTH
> command as many times as needed to guess user's password.
> Common practices that may be used by James:
> 1) Force disconnect after few unsuccessful AUTH requests.
> 2) Count failed AUTH requests by IP address and reject connections from that
> IP if number of failures reached some threshold.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
