Hi Neal, I have used http://authmemcookie.sourceforge.net/ previously to create a form based authentication for web sites. The form can be in any scripting language Apache supports so CAPTCHA should be easy to implement. On Tue, Oct 4, 2011 at 11:44 PM, Neal Rhodes <neall@xxxxxxxxxxx> wrote: > We have bunches of web applications which use the regular Apache login > protection, and they won't run unless REMOTE_USER is set by the Apache > login. > > <Limit GET> > require valid-user > </Limit> > > <Limit POST PUT DELETE> > require valid-user > </Limit> > > AuthName O-Visitor > AuthUserFile /usr/appl/cgi/.htpasswd > > AuthType Basic > > > Looking at improving security, it would seem that it would be much harder to > conduct brute-force attacks on these systems if we could configure Apache > login to do two things: > > A. Present the CAPTCHA style validation prompt as part of the login, to make > it difficult for scripted attacks to proceed; > B. Lockout an individual username in the .htpasswd file after X failed login > attempts. > > Are there flavors of linux apache which have modules to provide this? > > > Neal Rhodes > MNOP Ltd > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|