Re: Apache limit number of login retries

In <bdnmtq$u8mmd$1@ID-156202.news.dfncis.de> Martin Wickman <wizball@hotbrev.com> writes:

>I have been looking for a clever way to limit number of retries when
>using basic authentication. As of now, applying brute force methods to
>[...]
>Any thoughts and ideas would be much appreciated!

We use this not-so-expensive solution and are a satisfied customer:
http://www.howlingfrog.com/products/...d_hackprotect/

++ralph

On Mon, Jun 30, Ralph Mengen inscribed on the eternal scroll:

> We use this not-so-expensive solution and are a satisfied customer:

This is a technical discussion group. Wouldn't you be willing to
at least sketch out the working principle, and address how it deals
with the obvious issues?

Two things immediately strike me:

1. Since it says it does its blocking per-IP, any serious attacker
would simply get themselves a list of open HTTP proxies, of which
there are many thousands on the 'net, and work via those.

2. when users access the web from behind a cache proxy, as they do at
quite a number of major ISPs as well as from some proportion of
educational campuses for example, it only takes one mischief maker to
block the access for all the other users of the same cache.

cheers

In article <3efffa81$1@news.fhg.de>, Ralph Mengen wrote:
> In <bdnmtq$u8mmd$1@ID-156202.news.dfncis.de> Martin Wickman <wizball@hotbrev.com> writes:
>
>>I have been looking for a clever way to limit number of retries when
>>using basic authentication. As of now, applying brute force methods to
>>[...]
>>Any thoughts and ideas would be much appreciated!
>
> We use this not-so-expensive solution and are a satisfied customer:
> http://www.howlingfrog.com/products/...d_hackprotect/

Unfortunately this is for Apache 1.3 only and... well, it is not a
free-speech solution.