FileZilla Forums

Hello,

I am investigating Filezilla as a possible solution for my ftp needs and have a question about the failed login delay. I tested this feature by intentionally logging in to the server incorrectly about a dozen times and the delay did not seem to get above 5 seconds with me hitting the connect button as soon as the previous one failed. I also did not notice a difference in how long the system was taking to authenticate my credentials with each attempt.

My question is, does the delay for this feature max out at 5 seconds? While I understand a 5 second delay frustrates a brute force attack, I would feel better if the maximum delay time was significantly higher than it is. If the delay is a factor of how long it takes to authenticate rather than the initialization, I suppose I just may not be noticing it. And of course, I suppose it's possibly my attempts simply don't behave closely enough to an automation to trigger the serious delays. If there is a limit to the maximum delay, is there a way to adjust it?

Thank you for your time and help.

Mostly by design. Regardless of what happens, the real user should always be able to log in without too much delay.

Yeah, I'm not worried about legitimate users, since I don't anticipate any of them having such issues. Even if they did get delayed, I don't consider it a problem unless it actually prevented them from logging in (which a delay won't do). My goal is actually to increase the time penalty, if possible. I would like the 5 seconds to be increased to a minute or even several minutes if they fail successive times. Is that something I can alter with a setting within the program or is that delay time part of the code for the server and not variable? Thanks for the quick reply.

If your worried about brute force login there is an option to ban after x (variable) amount of failed attempts for x amount of time up to permanent banishment.

Please don't recommend deprecated features. Thanks.

boco wrote:Please don't recommend deprecated features. Thanks.

Autoban is a current feature on the current server version, Yes?

It's not there to stay, far too problematic.

botg wrote:It's not there to stay, far too problematic.

That's too bad. I find it very useful in keep the hackers from sucking
up my bandwidth.

Hackers are the good guys.

I assume you mean autonomous systems operated by script kiddies.

I take it, then, that there is no way to change the delay time between logins? I discovered that the 5 second delay I was seeing was actually a result of the Filezilla Client, rather than the server. Analyzing the times it takes the server to authenticate, I see about 11 seconds average without increase as logins fail.

If there's no way to change it, can I at least see what the progression of delay is? After how many logins does the delay kick in and how long is that delay? I'm just trying to get a technical overview of this feature. Thanks again for any help you can provide.

FZ Server is OSS, so you could examine it directly in the source code.