Subsonic Forum

[toolman]

Lately I experience a lot of scriptkiddies trying to gain acces to my Subsonic-server.
Quite annoying, but they can't do much harm. However it would be great if Subsonic had some features to make it more difficult to gain acces.
1. I think that being able to disable or remove the user "admin" would be nice.
At this time you can't even edit the priviliges of that account. You can deny the admin-account access to your music-folders, but if someone would be able to log in as admin that can be altered to full acces on all folders. ( I now have given the admin-account a password of 150 characters, which should be relatively safe, but I'd rather have no user "admin".)
2. A lock-out feature.
If someone fails to log in, in their 3th attempt they get locked out for an hour or so.
3. Ip-ban.
The possibility to block ip-addresses from logging in to Subsonic completely.
4. It would also be nice if all logins were recorded in the logfiles and not just only the failed logins.

[ericvonnine]

2 and 3 can be covered by fail2ban until the Subsonic maintainer, or someone else, decides to add it.

[toolman]

Thanks for your suggestion. Since I'm running Subsonic on Windows server I just block complete ip-ranges in my firewall whenever there are attempts to log in to my server originating from China.
But I would feel much safer if Subsonic would have a ( configurable) lock-out function.
I'm thinking of a function where you could set : if ip-address so and so failed to log in 3 times I want that adress to be blocked for XXXXX hours.
I will study Fail2ban, but as far as I've read it's not for Windows.

[ericvonnine]

You are correct, it is a *nix tool.