|
Is it even possible to brute force passwords over a network? Given network latencies you'd need to be extremely lucky (or have the user use extremely poor passwords) to actually succeed at brute forcing. A quick back of the envelope calculation, given that both digest auth (with a nonce, which calibre uses) and HTTPS require multiple roundtrips, lets assume a best case latency per auth request of 20ms (in reality it would be much higher). That gives us ~ 4e6 requests a day. Now assume a 8 char password containing letters, numbers and symbols that is not in a rainbow table (i.e. is not a dictionary word or common name or such). That gives us a search space of 8^80. Which means it would take your attacker approx 10^63 years to cover that search space. Now assume even that the attacker uses a million computers to connect to the calibre server in paralllel, that still means 10^57 years. I dont think you have to worry about passwords being brute forced, as long as you use decent passwords.
And the calibre server does log all HTTP requests alongwith a response code, including failed authentications (response code 401) in the access log, so you can use that for fail2ban.
Though again, IP blocking is not going to help you against all but the most incompetent of attackers.
|