Hello,

I'm wondering if it's possible to force some time-out between logon attempts to web pages hosted on an apache2 server.

I have the server running on my machine and just to test my security, a friend tried with brutus to force-guess the password. There I can see that there are lots of authentication requests every second.

I would like to know if it's possible to force some timeout between those attempts like say 1 or 2 seconds, then even those forcers have to try much much longer to crack the pwd. Like 1 attempt / second instead of 130.
Also, this 1 second time-out doesn't bother real logins when missing accidentally.

thanks for help.
If it is mentioned in the manual for apache, then I missed it, please point me to the right chapter then. thanks.


Lieven

Do you mean Apache alone or something like Apache+PHP?

In fact, I do have php and sql support installed.
What I mean is the following: in apache conf, I have these directives for directories like:


...

<Directory /usr/local/apache2/htdocs/php>
AuthType Basic
AuthName "Restricted php test area"
AuthUserFile /usr/local/apache2/pwd_auth/passwords
AuthGroupFile /usr/local/apache2/pwd_auth/groups
require user lieven robin
</Directory>

<Directory /usr/local/apache2/htdocs/moviedb>
AuthType Basic
AuthName "Restricted movie database"
AuthUserFile /usr/local/apache2/pwd_auth/passwords
AuthGroupFile /usr/local/apache2/pwd_auth/groups
require group dbusers
</Directory>

....

and thus I get this popup in my browser requesting a userid and password.
It seems that this brutus-thing can attempt to logon to my pages hundreds of times per second, guessing my passwd. (I myself have no experience with these kind of programs)
I would like to add an interval for the logon attempts. But maybe this has nothing to do with linux itself and I should look it up at the apache site.
(but if someone can tell me... )

thanks!