login attempts to web-page. (time limits)
Hello,
I'm wondering if it's possible to force some time-out between logon attempts to web pages hosted on an apache2 server. I have the server running on my machine and just to test my security, a friend tried with brutus to force-guess the password. There I can see that there are lots of authentication requests every second. I would like to know if it's possible to force some timeout between those attempts like say 1 or 2 seconds, then even those forcers have to try much much longer to crack the pwd. Like 1 attempt / second instead of 130. Also, this 1 second time-out doesn't bother real logins when missing accidentally. thanks for help. If it is mentioned in the manual for apache, then I missed it, please point me to the right chapter then. thanks. Lieven |
Do you mean Apache alone or something like Apache+PHP?
|
In fact, I do have php and sql support installed.
What I mean is the following: in apache conf, I have these directives for directories like: ... <Directory /usr/local/apache2/htdocs/php> AuthType Basic AuthName "Restricted php test area" AuthUserFile /usr/local/apache2/pwd_auth/passwords AuthGroupFile /usr/local/apache2/pwd_auth/groups require user lieven robin </Directory> <Directory /usr/local/apache2/htdocs/moviedb> AuthType Basic AuthName "Restricted movie database" AuthUserFile /usr/local/apache2/pwd_auth/passwords AuthGroupFile /usr/local/apache2/pwd_auth/groups require group dbusers </Directory> .... and thus I get this popup in my browser requesting a userid and password. It seems that this brutus-thing can attempt to logon to my pages hundreds of times per second, guessing my passwd. (I myself have no experience with these kind of programs) I would like to add an interval for the logon attempts. But maybe this has nothing to do with linux itself and I should look it up at the apache site. (but if someone can tell me... ) thanks! |
All times are GMT -5. The time now is 06:43 PM. |