Failed Login Throttling Adjustment

[voiceinthedesert]

Hello,

I am investigating Filezilla as a possible solution for my ftp needs and have a question about the failed login delay. I tested this feature by intentionally logging in to the server incorrectly about a dozen times and the delay did not seem to get above 5 seconds with me hitting the connect button as soon as the previous one failed. I also did not notice a difference in how long the system was taking to authenticate my credentials with each attempt.

My question is, does the delay for this feature max out at 5 seconds? While I understand a 5 second delay frustrates a brute force attack, I would feel better if the maximum delay time was significantly higher than it is. If the delay is a factor of how long it takes to authenticate rather than the initialization, I suppose I just may not be noticing it. And of course, I suppose it's possibly my attempts simply don't behave closely enough to an automation to trigger the serious delays. If there is a limit to the maximum delay, is there a way to adjust it?

Thank you for your time and help.

[botg]

Mostly by design. Regardless of what happens, the real user should always be able to log in without too much delay.

[voiceinthedesert]

Yeah, I'm not worried about legitimate users, since I don't anticipate any of them having such issues. Even if they did get delayed, I don't consider it a problem unless it actually prevented them from logging in (which a delay won't do). My goal is actually to increase the time penalty, if possible. I would like the 5 seconds to be increased to a minute or even several minutes if they fail successive times. Is that something I can alter with a setting within the program or is that delay time part of the code for the server and not variable? Thanks for the quick reply.

[horndog]

If your worried about brute force login there is an option to ban after x (variable) amount of failed attempts for x amount of time up to permanent banishment.

[boco]

Please don't recommend deprecated features. Thanks.

[horndog]

Please don't recommend deprecated features. Thanks.

Autoban is a current feature on the current server version, Yes?

[botg]

It's not there to stay, far too problematic.

[horndog]

It's not there to stay, far too problematic.

That's too bad. I find it very useful in keep the hackers from sucking
up my bandwidth.

[botg]

Hackers are the good guys.

I assume you mean autonomous systems operated by script kiddies.

[voiceinthedesert]

I take it, then, that there is no way to change the delay time between logins? I discovered that the 5 second delay I was seeing was actually a result of the Filezilla Client, rather than the server. Analyzing the times it takes the server to authenticate, I see about 11 seconds average without increase as logins fail.

If there's no way to change it, can I at least see what the progression of delay is? After how many logins does the delay kick in and how long is that delay? I'm just trying to get a technical overview of this feature. Thanks again for any help you can provide.

[boco]

FZ Server is OSS, so you could examine it directly in the source code.