Failed Login Throttling Adjustment

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
voiceinthedesert
500 Command not understood
Posts: 3
Joined: 2010-08-03 16:12

Failed Login Throttling Adjustment

#1 Post by voiceinthedesert » 2010-08-03 16:36

Hello,

I am investigating Filezilla as a possible solution for my ftp needs and have a question about the failed login delay. I tested this feature by intentionally logging in to the server incorrectly about a dozen times and the delay did not seem to get above 5 seconds with me hitting the connect button as soon as the previous one failed. I also did not notice a difference in how long the system was taking to authenticate my credentials with each attempt.

My question is, does the delay for this feature max out at 5 seconds? While I understand a 5 second delay frustrates a brute force attack, I would feel better if the maximum delay time was significantly higher than it is. If the delay is a factor of how long it takes to authenticate rather than the initialization, I suppose I just may not be noticing it. And of course, I suppose it's possibly my attempts simply don't behave closely enough to an automation to trigger the serious delays. If there is a limit to the maximum delay, is there a way to adjust it?

Thank you for your time and help.

User avatar
botg
Site Admin
Posts: 32473
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Failed Login Throttling Adjustment

#2 Post by botg » 2010-08-03 18:39

Mostly by design. Regardless of what happens, the real user should always be able to log in without too much delay.

voiceinthedesert
500 Command not understood
Posts: 3
Joined: 2010-08-03 16:12

Re: Failed Login Throttling Adjustment

#3 Post by voiceinthedesert » 2010-08-03 18:53

Yeah, I'm not worried about legitimate users, since I don't anticipate any of them having such issues. Even if they did get delayed, I don't consider it a problem unless it actually prevented them from logging in (which a delay won't do). My goal is actually to increase the time penalty, if possible. I would like the 5 seconds to be increased to a minute or even several minutes if they fail successive times. Is that something I can alter with a setting within the program or is that delay time part of the code for the server and not variable? Thanks for the quick reply.

horndog
550 Permission denied
Posts: 27
Joined: 2010-06-13 21:27
First name: Stuart
Last name: Kay

Re: Failed Login Throttling Adjustment

#4 Post by horndog » 2010-08-03 19:51

If your worried about brute force login there is an option to ban after x (variable) amount of failed attempts for x amount of time up to permanent banishment.

User avatar
boco
Contributor
Posts: 24789
Joined: 2006-05-01 03:28
Location: Germany

Re: Failed Login Throttling Adjustment

#5 Post by boco » 2010-08-04 04:41

Please don't recommend deprecated features. Thanks.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

horndog
550 Permission denied
Posts: 27
Joined: 2010-06-13 21:27
First name: Stuart
Last name: Kay

Re: Failed Login Throttling Adjustment

#6 Post by horndog » 2010-08-04 04:57

boco wrote:Please don't recommend deprecated features. Thanks.
Autoban is a current feature on the current server version, Yes?

User avatar
botg
Site Admin
Posts: 32473
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Failed Login Throttling Adjustment

#7 Post by botg » 2010-08-04 06:30

It's not there to stay, far too problematic.

horndog
550 Permission denied
Posts: 27
Joined: 2010-06-13 21:27
First name: Stuart
Last name: Kay

Re: Failed Login Throttling Adjustment

#8 Post by horndog » 2010-08-04 06:49

botg wrote:It's not there to stay, far too problematic.
That's too bad. I find it very useful in keep the hackers from sucking
up my bandwidth.

User avatar
botg
Site Admin
Posts: 32473
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Failed Login Throttling Adjustment

#9 Post by botg » 2010-08-04 19:36

Hackers are the good guys.

I assume you mean autonomous systems operated by script kiddies.

voiceinthedesert
500 Command not understood
Posts: 3
Joined: 2010-08-03 16:12

Re: Failed Login Throttling Adjustment

#10 Post by voiceinthedesert » 2010-08-06 21:18

I take it, then, that there is no way to change the delay time between logins? I discovered that the 5 second delay I was seeing was actually a result of the Filezilla Client, rather than the server. Analyzing the times it takes the server to authenticate, I see about 11 seconds average without increase as logins fail.

If there's no way to change it, can I at least see what the progression of delay is? After how many logins does the delay kick in and how long is that delay? I'm just trying to get a technical overview of this feature. Thanks again for any help you can provide.

User avatar
boco
Contributor
Posts: 24789
Joined: 2006-05-01 03:28
Location: Germany

Re: Failed Login Throttling Adjustment

#11 Post by boco » 2010-08-06 21:35

FZ Server is OSS, so you could examine it directly in the source code.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Post Reply