Admin Console Login allows Brute Force Login

Description

Openfire Admin Console allows brute force login.
It MUST implement some security verifications and listeners that monitors login attempts.

  • Limit login attempts per IP in a time period.

  • Limit login attempts in a time period.

  • Test Cases ( Optional )

Environment

Every Plataform

Activity

Show:
LG
April 22, 2007, 12:51 AM

Adding a random delay of 1-3 seconds is never a fault if the password is wrong before returning an error.
An option to limit the remote addresses (e.g. 10.0.0.0/24 or *.dialin.provider.com) would help a lot.

Thiago Rocha Camargo
April 21, 2007, 12:00 AM

An day has 86400 seconds. A week 604800. I don't think that it's sufficient. In 3 months it's very easy to get in. I don't think admins change admin password every month. Or at least we MUST not trust in it.
This is a Best Pratices issue.

Johannes Grimm
April 20, 2007, 9:31 PM

perhaps a simple delaying the error msg would sufficant ... so bruteforce takes really long .. (0.5 or 1 sec should be enough)

Fixed

Assignee

Daniel Henninger

Reporter

Thiago Rocha Camargo