View Single Post
  #4  
Old 12th November 2012, 15:44
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

But isn't it more security by obscurity, as by limiting the activity time the time window for any trojan to spy the password is smaller.
Also if not enforcing this by default, I assume nobody will really take care of this option.
If the user / admin would know about the problem he would more than that make use of:
fail2ban against bruteforce on the server,
forced (or at least configured) ftps (!= sftp),
forced password policy (complexity)
forced password renewal (aging), optionally with time based deactivation.

To assist the admin, ISPConfig could alert on the ftp tab, if some of the above mentioned mitgation options are not in place.

Just as an additional idea on how to assist solving this issue.
Reply With Quote