Hi! A while ago I tried to get openfire to work with fail2ban so that if a user tries to login with an incorrect password more than a certain amount of times his account would get locked out for a period of time to discourage brute force attacks. I found ever since that the IP address isn’t logged and there was no intention of adding it. So I wonder if there is a way to get openfire itself to ban a user for a few minutes if there are many failed attempts to login from a certain IP address or a certain user.
Hi David. To the best of my knowledge, such a feature doesn’t currently exist for regular users (it does exist for admin console login attempts). It would be interesting to have that added though.
Implementation-wise, we’d probably want to split this up: IP-based restrictions should probably go in the IO-handling parts of Openfire (powered by Apache MINA) while username-based restrictions / attempt counts should go elsewhere.
Hi Guus, about the bad passwords and account temporary lockout feature, you said it does exist for admin console login attempts. How to check if this feature is enabled how to configure it ?
The functionality to limit authentication attempts is ‘always on’. It is controlled by four properties:
adminConsole.maxAttemptsPerIP (default: 10)
Maximum number of Admin Console login attempts per IP address that can be performed in a given time frame.
adminConsole.perIPAttemptResetInterval (default: 15 minutes)
Time frame before Admin Console login attempts per IP address are reset.
adminConsole.maxAttemptsPerUsername (default: 10)
Maximum number of Admin Console login attempts per username that can be performed in a given time frame.
adminConsole.perUsernameAttemptResetInterval (default: 15 minutes)
Time frame before Admin Console login attempts per username are reset.