--- Begin Message ---
Hello,
I was trying to add some brute force protection to my live555-based RTSP
server, but I realised that this cannot be easily done (unless I am overlooking
something - please let me know if I do), so I would like to suggest a small
change:
In the RTSPServer class, there are 2 functions, specialClientAccessCheck and
specialClientUserAccessCheck, that are called in
RTSPServer::RTSPClientConnection::authenticationOK. The first one is called
right at the beginning to enforce some global restrictions, e.g. based on IP
address, and the second one is called when authentication was successful to
apply some additional restrictions based on the user. I would like to propose a
third function, say specialFailedLoginCheck (feel free to choose a different
name if you don't like this one), that would be called if a login attempt
failed. So in RTSPServer::RTSPClientConnection::authenticationOK it would look
like this:
if (success) {
//nothing changes here
}
else if (!fOurRTSPServer.specialFailedLoginCheck(fClientInputSocket,
fClientAddr, urlSuffix, username)) {
setRTSPResponse("401 Unauthorized");
delete[] (char*)username;
return False;
}
The idea then is that in specialFailedLoginCheck one could count how many false
attempts there were for some IP address and act upon this, e.g. by locking this
IP address out for some time with specialClientAccessCheck or whatever the user
of the library thinks makes sense for their RTSP server. (the default
implementation of specialFailedLoginCheck just returns True)
Best regards,
Jay
--- End Message ---
_______________________________________________
live-devel mailing list
[email protected]
http://lists.live555.com/mailman/listinfo/live-devel
