Re: Could Apache login support CAPTCHA and lockout?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2011-10-04 14:44, Neal Rhodes wrote:
We have bunches of web applications which use the regular Apache login protection,

Do you mean HTTP Basic Auth, as defined in RFC 2616 ?

and they won't run unless REMOTE_USER is set by the Apache login.  

<Limit GET>
require valid-user
</Limit>

<Limit POST PUT DELETE>
require valid-user
</Limit>

AuthName O-Visitor
AuthUserFile /usr/appl/cgi/.htpasswd

AuthType Basic



Yes, this is HTTP Basic AUTH.
It says so right there.


Looking at improving security, it would seem that it would be much harder to conduct brute-force attacks on these systems if we could configure Apache login to do two things:

You can't.
There is no "login", just an Authorization: header which has to be sent for every page that requires it.

A. Present the CAPTCHA style validation prompt as part of the login, to make it difficult for scripted attacks to proceed;
B. Lockout an individual username in the .htpasswd file after X failed login attempts.

Actual login-ness (a state of logged in being different from a state of not being logged in) must be achieved through non-HTTP means, possibly supported by HTTP features such as cookies.


-- 
J.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux