Server Does Not Enforce Login Attempt Limit with SSL
|Reported by:||jguire1||Owned by:|
|Keywords:||Cc:||jguire1, Tim Kosse|
|Component version:||Operating system type:|
|Operating system version:|
I have autoban enabled for 5 failed login attempts. I also "Force SSL for user login". The autoban never fires because, I assume, users attempting login get the return error stating that SSL is required and the attempt is not counted into the autoban limit. This situation results in daily logs of up to 3MB in size due to repeated brute force attempts at login. It appears as if there is a program that kiddie hax0rs all over the world have available. I add address masks to the IP Filter as attempts are made, but new kiddies keep trying. I've filtered out most of China by now. Please see the attached log exerpt.