Ok, that I managed myself with my limited abilities (after some looking around.
src/webserver.c:
REPLACE:
if(auth_handler(pwsc,username,password))
can_dispatch=1;
WITH:
if(auth_handler(pwsc,username,password))
can_dispatch=1;
else
DPRINTF(E_WARN,L_WS,”Thread %d: Wrong password entered! (%d: %s)n”,
pwsc->threadno,401,pwsc->hostname);
Just a quick hack to ensure things get noticed at least. I am sure you can put that patch in much more elegantly, Ron.
Now all we need is some way to have have mt-daapd store these wrongly logged in IPs and block logins if someone logs in wrong too often. Alternatively that could also be accomplished by an external proggy, e.g. denyhosts, which can scan logfiles and enter evil doers into hosts.deny. Then mt-daapd would have to somehow check against host.deny (could be done with libwrap?).
Another idea would be to add a config option that makes it only allow computers listed in hosts.allow explicitly so one could limit the range of IPs that can access via a “mt-daapd: IP” entry in hosts.allow.