If I want block bruteforce attack I usually use fail2ban.
cat /opt/openfire/logs/info.log:
...
2015.02.06 13:33:08 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: green.bus
...
But no IP address! Nothing to ban!
As I can see from Enable fail2ban to monitor openfire login logs. there is "fix" to change log content:
Then I've modified org.jivesoftware.openfire.net.SASLAuthentication,
before
Line 288
Log.info("User Login Failed. " + e.getMessage());
after
Log.info("User Login Failed. " + e.getMessage() + " " + session.getHostAddress());
//add try/catch around this line, because getHostAddress() might throw an exception
This will provide us with everything fail2ban needs - an IP address and the time
2012.04.13 15:40:44 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: test@192.168.253.5 IP: 192.168.253.10
But I don't understand how to change property org.jivesoftware.openfire.net.SASLAuthentication! Where is this property must be changed/placed?
Could you help me!