httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Neal Rhodes <ne...@mnopltd.com>
Subject [users@httpd] Could Apache login support CAPTCHA and lockout?
Date Tue, 04 Oct 2011 12:44:43 GMT
We have bunches of web applications which use the regular Apache login
protection, and they won't run unless REMOTE_USER is set by the Apache
login.   


        <Limit GET>
        require valid-user
        </Limit>
        
        <Limit POST PUT DELETE>
        require valid-user
        </Limit>
        
        AuthName O-Visitor
        AuthUserFile /usr/appl/cgi/.htpasswd
        
        AuthType Basic
        


Looking at improving security, it would seem that it would be much
harder to conduct brute-force attacks on these systems if we could
configure Apache login to do two things: 

        A. Present the CAPTCHA style validation prompt as part of the
        login, to make it difficult for scripted attacks to proceed;
        B. Lockout an individual username in the .htpasswd file after X
        failed login attempts.
        

Are there flavors of linux apache which have modules to provide this? 


Neal Rhodes
MNOP Ltd 


Mime
View raw message