Did I get this right, that there is no brute force protection in the open source version?
I mean everybody has to make a living, but removing security critical features? Hacked pydio accounts may not the best way to advertise a product.
As far as I’ve seen, failed login IPs are not even logged in the free version. Can this be turned on somewhere?
We have a layer of security on pydio that will block someone(a user for instance) that attempts to connect 10 times with the wrong credentials, this is for known users.
Otherwise I would advise you to have a setup with a reverse proxy and something such as fail2ban which should give you an extra layer of protection.