Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Admin Console Login allows Brute Force Login

Description

Openfire Admin Console allows brute force login.
It MUST implement some security verifications and listeners that monitors login attempts.

  • Limit login attempts per IP in a time period.

  • Limit login attempts in a time period.

  • Test Cases ( Optional )

Environment

Every Plataform

Activity

Show:

LG April 22, 2007 at 12:51 AM

Adding a random delay of 1-3 seconds is never a fault if the password is wrong before returning an error.
An option to limit the remote addresses (e.g. 10.0.0.0/24 or *.dialin.provider.com) would help a lot.

Thiago Rocha Camargo April 21, 2007 at 12:00 AM

An day has 86400 seconds. A week 604800. I don't think that it's sufficient. In 3 months it's very easy to get in. I don't think admins change admin password every month. Or at least we MUST not trust in it.
This is a Best Pratices issue.

Johannes Grimm April 20, 2007 at 9:31 PM

perhaps a simple delaying the error msg would sufficant ... so bruteforce takes really long .. (0.5 or 1 sec should be enough)

Fixed

Details

Assignee

Reporter

Original estimate

Time tracking

No time logged1d remaining

Components

Fix versions

Affects versions

Priority

Created March 26, 2007 at 10:20 PM
Updated August 26, 2008 at 3:50 AM
Resolved August 26, 2008 at 3:50 AM