Openfire (ARCHIVED)

Admin Console Login allows Brute Force Login

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.2.0 Beta, 3.2.0 RC, 3.2.0 RC 2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0 Alpha 1, 3.3.0 Beta 1, 3.2.4, 3.3.0, 3.x
  • Fix Version/s: 3.6.0
  • Component/s: Admin Console
  • Labels:
    None
  • Environment:

    Every Plataform

  • Acceptance Test - Add?:
    No

Description

Openfire Admin Console allows brute force login.
It MUST implement some security verifications and listeners that monitors login attempts.

  • Limit login attempts per IP in a time period.
  • Limit login attempts in a time period.
  • Test Cases ( Optional )

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Johannes Grimm added a comment -

perhaps a simple delaying the error msg would sufficant ... so bruteforce takes really long .. (0.5 or 1 sec should be enough)

Show
Johannes Grimm added a comment - perhaps a simple delaying the error msg would sufficant ... so bruteforce takes really long .. (0.5 or 1 sec should be enough)
Hide
Permalink
Thiago Rocha Camargo added a comment -

An day has 86400 seconds. A week 604800. I don't think that it's sufficient. In 3 months it's very easy to get in. I don't think admins change admin password every month. Or at least we MUST not trust in it.
This is a Best Pratices issue.

Show
Thiago Rocha Camargo added a comment - An day has 86400 seconds. A week 604800. I don't think that it's sufficient. In 3 months it's very easy to get in. I don't think admins change admin password every month. Or at least we MUST not trust in it. This is a Best Pratices issue.
Hide
Permalink
LG added a comment -

Adding a random delay of 1-3 seconds is never a fault if the password is wrong before returning an error.
An option to limit the remote addresses (e.g. 10.0.0.0/24 or *.dialin.provider.com) would help a lot.

Show
LG added a comment - Adding a random delay of 1-3 seconds is never a fault if the password is wrong before returning an error. An option to limit the remote addresses (e.g. 10.0.0.0/24 or *.dialin.provider.com) would help a lot.

People

Vote (5)
Watch (2)

Dates

  • Due:
    Created:
    Updated:
    Resolved:

Time Tracking

Estimated:
8h
Original Estimate - 8 hours
Remaining:
8h
Remaining Estimate - 8 hours
Logged:
Not Specified
Time Spent - Not Specified
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for igniterealtime.org. Try JIRA - bug tracking software for your team.