We have bunches of web applications which use the regular Apache login
protection, and they won't run unless REMOTE_USER is set by the Apache
login.
<Limit GET>
require valid-user
</Limit>
<Limit POST PUT DELETE>
require valid-user
</Limit>
AuthName O-Visitor
AuthUserFile /usr/appl/cgi/.htpasswd
AuthType Basic
Looking at improving security, it would seem that it would be much
harder to conduct brute-force attacks on these systems if we could
configure Apache login to do two things:
A. Present the CAPTCHA style validation prompt as part of the
login, to make it difficult for scripted attacks to proceed;
B. Lockout an individual username in the .htpasswd file after X
failed login attempts.
Are there flavors of linux apache which have modules to provide this?
Neal Rhodes
MNOP Ltd
