LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-18-2005, 07:36 AM   #1
ldp
Member
 
Registered: Apr 2004
Location: Belgium Antwerpen
Distribution: slackware - knoppix
Posts: 141

Rep: Reputation: 18
login attempts to web-page. (time limits)


Hello,

I'm wondering if it's possible to force some time-out between logon attempts to web pages hosted on an apache2 server.

I have the server running on my machine and just to test my security, a friend tried with brutus to force-guess the password. There I can see that there are lots of authentication requests every second.

I would like to know if it's possible to force some timeout between those attempts like say 1 or 2 seconds, then even those forcers have to try much much longer to crack the pwd. Like 1 attempt / second instead of 130.
Also, this 1 second time-out doesn't bother real logins when missing accidentally.

thanks for help.
If it is mentioned in the manual for apache, then I missed it, please point me to the right chapter then. thanks.


Lieven
 
Old 01-20-2005, 12:23 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,536

Rep: Reputation: 148Reputation: 148
Do you mean Apache alone or something like Apache+PHP?
 
Old 01-20-2005, 12:42 PM   #3
ldp
Member
 
Registered: Apr 2004
Location: Belgium Antwerpen
Distribution: slackware - knoppix
Posts: 141

Original Poster
Rep: Reputation: 18
In fact, I do have php and sql support installed.
What I mean is the following: in apache conf, I have these directives for directories like:


...

<Directory /usr/local/apache2/htdocs/php>
AuthType Basic
AuthName "Restricted php test area"
AuthUserFile /usr/local/apache2/pwd_auth/passwords
AuthGroupFile /usr/local/apache2/pwd_auth/groups
require user lieven robin
</Directory>

<Directory /usr/local/apache2/htdocs/moviedb>
AuthType Basic
AuthName "Restricted movie database"
AuthUserFile /usr/local/apache2/pwd_auth/passwords
AuthGroupFile /usr/local/apache2/pwd_auth/groups
require group dbusers
</Directory>

....

and thus I get this popup in my browser requesting a userid and password.
It seems that this brutus-thing can attempt to logon to my pages hundreds of times per second, guessing my passwd. (I myself have no experience with these kind of programs)
I would like to add an interval for the logon attempts. But maybe this has nothing to do with linux itself and I should look it up at the apache site.
(but if someone can tell me... )

thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp web page login paul_mat Linux - Software 9 11-16-2005 02:13 AM
Web page load time in Linux browsers is slow compared to ... the_rhino Linux - General 1 02-11-2005 08:23 PM
user account time limits DAChristen29 Linux - Networking 2 12-24-2004 06:00 PM
Auto login and run firefox at a specific web page eraser Linux - Newbie 4 11-21-2004 05:34 PM
Traffic and time limits for internet users. pamsi Red Hat 0 12-15-2003 10:05 AM


All times are GMT -5. The time now is 05:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration