james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bernd Waibel (JIRA)" <server-...@james.apache.org>
Subject [jira] [Commented] (JAMES-1723) Add protection from password bruteforcing
Date Wed, 20 Apr 2016 06:31:25 GMT

    [ https://issues.apache.org/jira/browse/JAMES-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15249361#comment-15249361

Bernd Waibel commented on JAMES-1723:

Currently (James 2.3.2) does not log the IP and user in the log file.
Only "AUTH method PLAIN failed" or "AUTH method LOGIN failed". Dito for "succeded".
This is not enough, cause you could not find out "who" has tried to login, and who often he/she
did this.

So please consider to write the IP to the log.
(Currently, 2.3.2, implemented in AuthCmdHandler.)
            getLogger().error("AUTH method PLAIN failed for user " + user + " from " + session.getRemoteIPAddress());

This is independend from fail2ban.

> Add protection from password bruteforcing
> -----------------------------------------
>                 Key: JAMES-1723
>                 URL: https://issues.apache.org/jira/browse/JAMES-1723
>             Project: James Server
>          Issue Type: New Feature
>    Affects Versions: Trunk, 3.0-beta4, 3.0.0-beta5
>            Reporter: Alexei Osipov
> Right now James has no mechanisms of protection against password forcing.
> For example, it's possible to connect to James via SMTP and execute AUTH command as many
times as needed to guess user's password.
> Common practices that may be used by James:
> 1) Force disconnect after few unsuccessful AUTH requests.
> 2) Count failed AUTH requests by IP address and reject connections from that IP if number
of failures reached some threshold.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message