It's possible to circumvent auth_brute_force
security by trying logins via xmlrpc/jsonrpc. The login attempts done this way are not checked by the module and do not count towards the failed attempts limit towards the ban.
I would argue that the jsonrpc interface is the preferred one for bruteforcing tools, so IMO this limitation is non-negligible.
:+1: When I wrote this module, I just tested with Front UI attempts.
this could be a good addition to log tryes from xmlrpc. Do you think you could make a PR ?
regards.
Hi @lasley. I allowed myself to change the label you set. I think that "bug" is more appropriated because what @LeartS is talking make this module useless.
The fix is in https://github.com/OCA/server-tools/pull/1219, let's continue there.
Most helpful comment
Hi @lasley. I allowed myself to change the label you set. I think that "bug" is more appropriated because what @LeartS is talking make this module useless.