| [ Team LiB ] |
|
Recipe 6.15 Preventing Brute-Force Password AttacksProblemYou want to disable a username when there are repeated failed attempts to authenticate using it, as if it is being attacked by a password-cracker. SolutionThere is no way to do this with standard Apache authentication modules. The usual approach is to watch your logfile carefully. Or you can use something like Apache::BruteWatch to tell you when a user is being attacked: PerlLogHandler Apache::BruteWatch PerlSetVar BruteDatabase DBI:mysql:brutelog PerlSetVar BruteDataUser username PerlSetVar BruteDataPassword password PerlSetVar BruteMaxTries 5 PerlSetVar BruteMaxTime 120 PerlSetVar BruteNotify rbowen@example.com DiscussionDue to the stateless nature of HTTP and the fact that users are not, technically, "logged in" at all (see HTTP, Browsers, and Credentials), there is no connection between one authentication attempt and another. This makes it possible to repeatedly attempt to log in with a particular username. Apache::BruteWatch is one way to watch the logfile and send notification when a particular account is being targeted for a brute-force password attack. With the configuration shown previously, if a given account fails authentication 5 times in 2 minutes, the server administrator will be notified of the situation, so that she can take appropriate measures, such as blocking the offending address from the site. See Also |
| [ Team LiB ] |
|