Hi everyone,
We are struggling to understand how to prevent brute force on Openfire Admin Console. It seems that this feature is available from earlier versions but how to enabled it and how to configure it ?
We can still login 5 times with a wrong password and there is no mechanism to prevent brute force from the openfire admin console.
We are working with Openfire 4.7.5, build ee4395e
Thanks a lot for your support.
Authentication attempts are limited per username and per IP address. This feature cannot be disabled (although it can be re-configured to make it effectively useless). When a limit is hit, then the end-user won’t notice much of a difference: it is as if they provided an incorrect password. Maybe that’s what is confusing you? When limits hit, warnings will be logged in the logfile. Also, correct username/passwords will not work. That’s how you can determine if the feature is working for you
The functionality is controlled by four properties:
adminConsole.maxAttemptsPerIP (default: 10)
Maximum number of Admin Console login attempts per IP address that can be performed in a given time frame.
adminConsole.perIPAttemptResetInterval (default: 15 minutes)
Time frame before Admin Console login attempts per IP address are reset.
adminConsole.maxAttemptsPerUsername (default: 10)
Maximum number of Admin Console login attempts per username that can be performed in a given time frame.
adminConsole.perUsernameAttemptResetInterval (default: 15 minutes)
Time frame before Admin Console login attempts per username are reset.
I would suggest you to whitelist your IPs for port 9091 (Admin Console Port) and block rest of all IPs. This worked for me after recent ransomware attack.
maybe I am blind, but it seems these settings cannot be altered via system Properties in web-interface
where can I decrease these limits?
When the system properties are not shown, their default values are used. To change them, you have to create a new property by that name (and provide your desired value).
Hi Guus,
Thanks for listing the system properties that I should use to implement a mechanism to prevent brute force attacks.
I tried to set these values below but even after 5 attempts with wrong login or password, I can still login just after. I tried to restart the server but same result. Did I miss something ?
| Property Name | Property Value |
|---|---|
| adminConsole.maxAttemptsPerIP | 5 |
| adminConsole.maxAttemptsPerUsername | 5 |
| adminConsole.perIPAttemptResetInterval | 5 minutes |
| adminConsole.perUsernameAttemptResetInterval | 5 minutes |
Have you provided the literal string 5 minutes? The duration values should be a number in millis. Some of these settings require a restart of Openfire, before they take effect.
You can have a look at Openfire’s log file to see if they kick in. As soon as they do, something like this will be logged:
org.jivesoftware.admin.LoginLimitManager - Login attempt limit breached for address [0:0:0:0:0:0:0:1]
org.jivesoftware.admin.LoginLimitManager - Login attempt limit breached for username admin