I´d like to know if there is a way to only allow ssl connection to the web admin console.
Also as a way to improve security i´d like to have an option to ban ip, that in a number of configured tries (3 or less) wrong guess´s the password, to prevent someone to hammer the login box, because this can be acessed anywhere on the world…
i think there is an option to force ssl only connection to AC.
about hammering… i’'ve just setup my firewall so connections to Admin Console are accepted only from two IPs in combination with MAC addresses. Secure enough i think.
sometimes i mistype password for 3 times, and only after this i notice that a wrong input locale is selected:D
well, i must agree with you:) Though i’‘m using AC only from one PC, because it’'s convinient, and you dont have to be physically sitting in front of server:) And you dont have to put any graphical environments or browser to server. So, firewall is good for me, for know:)
So, maybe dev’‘s could add some Security tab to Admin Console, so anyone will be able to control such options as password input tries, banning/unbanning IP’'s, setting Admin Console logout timeout, setting admins and etc. Could be convinient to have all this in one place? Or maybe it should be editable only in config file, if talking about security?
In the jive-messenger.xml file you can define/change the property adminConsole.authorizedUsernames to include the name of the users allowed to log into the admin console. The configuration file has a comment explaining how to use this property.
Take in consideration that the usernames should be existing users in the server (ie. users that may log into the server using any XMPP client). And the password to use for loging into the admin console is the same password that the user would use from the XMPP client.
FYI, one of our ideas regarding the admin console is to add ACL support.