powered by Jive Software

Bad passwords and account lockout

Hi! A while ago I tried to get openfire to work with fail2ban so that if a user tries to login with an incorrect password more than a certain amount of times his account would get locked out for a period of time to discourage brute force attacks. I found ever since that the IP address isn’t logged and there was no intention of adding it. So I wonder if there is a way to get openfire itself to ban a user for a few minutes if there are many failed attempts to login from a certain IP address or a certain user.

Thanks in advance.
Best regards,
David Wells.

Hi David. To the best of my knowledge, such a feature doesn’t currently exist for regular users (it does exist for admin console login attempts). It would be interesting to have that added though.

Implementation-wise, we’d probably want to split this up: IP-based restrictions should probably go in the IO-handling parts of Openfire (powered by Apache MINA) while username-based restrictions / attempt counts should go elsewhere.

Great! Should I request it as a new feature in some ticketing system? Unfortunately I’m not a java coder so I can not offer to code it myself.

Thank you very much for your answer.

I have filed OF-2279.

1 Like

Thank you very much!

Best regards,
David Wells.