John Garrould wrote: > Is there a way to configure the server so that malicious users cannot > try multiple log-in attempts without reconnecting? Ideally I would > like to be able to configure the connection to be dropped after 3 > invalid attempts at the password.
I don't believe this is currently configurable. Niklas or Rana can correct me if I'm wrong about this. > How do you recommend we protect the server against this form of attack? Probably set up a counter in the FtpSession implementation, then when a login fails, the PASS class can obtain the session through the Connection class, decrement the number of tries remaining and drop the connection if the number reaches zero. Should be pretty straight forward. You might want to have a try yourself, if you feel up to it. In the meantime, please raise a call in JIRA (http://issues.apache.org/jira) so the issue can be tracked.
