Firstly, a "password" in MQTT is up to 65535 bytes of data. So its up to you to set it to what you want, and then ensure you can enter the same data on the client. It is only brute forceable if you choose to use a weak password, as MQTT supports 2^524280 permutations of passwords, which is absolutely not brute forceable.

If you are using 'weak' passwords, "mosquitto_passwd" has a (undocumented?) -I option to set iteration count for password hashing. When user sends a password, it is hashed and compared to the stored hashed value. A higher iteration count means the password is stored having gone through more hash cycles, so when the comparison is done at user login attempt, the server has to do more hash cycles, and will take longer to reject or accept clients. You can set this as high as you want to make the login attempt longer and longer to prevent brute forcing in a reasonable time period.

Thirdly if you are still worried about security, you should issue each client a client certificate. Mosquitto can be set to authenticate clients via certificates.

OK，thank you very much. I'll think about it again.

This isn't on my list of priorities right now, but I agree it would be useful. If you're interested in making it happen I can offer guidance. It might actually be well suited to being a plugin.

fail2ban or similar could be used but the problem is that the disconnect log entry is missing client's IP address.

To use fail2ban, the mosquitto log file entry needs some kind of unique connection identificator, to reliable detect attacker.

More info at fail2ban/fail2ban#3427

What about adding IP address to disconnect line? Something as

`
Dec 06 19:49:04: New connection from 192.168.0.100:39608 on port 8883.

Dec 06 19:49:05: Client 192.168.0.100:39608 disconnected, not authorised.
`

Thank you

+1