In helping people make their site better, I came across a web-based script that creates .htaccess & .htpasswd files. As part of making it easier for people not familiar with related Server-side applications (plus a thread I read at WHT), it dawned on me that there must be a way to limit the number of failed attempts.

In followng the K.I.S.S. principle, I had thought (hoped) it would somewhere within:

< Limit GET POST >
require
< /Limit >

(spacing is for VB)

but I cannot seem to find any documentation on it. Spent time browsing and although HARD_SERVER_LIMIT & kill_conditions (under Apache API Contstants (http://dev.apache.org/apidoc-old/index.html#Constants)) sound promising, I am not familiar enough to understand their usage.

Can anyone help shed some light on this?


[Edited by Website Rob on 03-10-2001 at 04:02 AM]

Note to Mods: As this post was made before the "Web Security" Forum was created, could one you please move it there. Didn't realize this questions would be so "out there" or hard to answer.

Thanks

Can you explain more about what you want to limit..?? The directives you speak of are only for the API which allows you to build your own dynamic plugin modules.

The syntax you have here is incomplete, you must "require something"

See http://www.apacheweek.com/features/userauth it is old but still accurate.

Hi Webbie. The idea is to limit the number of failed attempts when using .htaccess & .htpasswd files. By default, attempts can be made over and over again. I have no idea what the actual number is.

Within the .htaccess LIMIT tag you can have:

require valid-user -or- require user

both seem to work the same (for valid ID) so not sure what the difference is there.

I was hoping a restriction for the number of failed attempts, could also be placed within the LIMIT tag. So for example, a person who fails 3 times, to enter the correct ID & PW, automatically gets forwarded to the 401 error page, or whatever has been setup.

Would you know if/how this can be done?

By default the attempts are limited to 3 and then a 401 error will come up. But this does not prevent someone from just hitting reload. You may need an different mod_auth module for apache. Check http://modules.apache.org/search for different modules. Maybe you can find something.

I was searching for something like that a few months ago, but I couldn't find a module that can block out an IP after x amount of failures.

Unless you create your own CGI based authentication module, you can't stop people from trying over and over. Maybe someone should tell the Apache people to include some sort of blocking after x amount of failed attempts.

At one time, I was on a Server where the default was 3 attempts. Now, I have a Server from two different sources and with both of them, it is unlimited attempts -- or so it seems.

Even without a Refresh, when ID & PW are incorrect, the pop-up window allows a person the option to "Retry" or "Cancel" -- for who knows how many attempts. I've never tested how many.

I had hoped there was a way of controlling the number of failed attempts, through the .htaccess file. It is starting to appear, that this is not be an option. :(

So lets say we come up with a script that displays an error page after 3 failed attempts, then a determined hacker might try some other means* to get in now that his plan A has failed.

So how about not letting him in but still not show an error page? That way he will keep making the same mistake and tire of it and move on. An honest user will likely email us a request for the password after a few honest attempts.

Would this be a better solution or should we just show an error page after 3 attempts? Whats everyone's opinion or are there new ideas?


*Other than brute force, are there other ways hackers can get into a system? I heard for servers its mostly by brute force but I am no expert.

What about a fake return that makes them *think* they got in, heh. You know, a page of renamed viruses that they can download, heh. :)

Your proposel jonglenn, is a little off the mark from what I was looking for. Usually with a Password CGI script, I have it set for "one" failed attempt and they get an Error page. Depends on the script and function though.

My intent was to find something I could add (to the script mentioned in my first post) so that people who did not know how-to setup a CGI script or Apache Authentication, could still have a way to Password Protect their directories and/or files.