Since you're talking about Apache, I'll assume you're trying to protect brute-force HTTP Authentication style logins.
That's something I'm quite sure you will have a hard time doing within a traditional CGI environment.
Have you ever worked with mod perl?
There are some good starter docs at modperl.com, and one seems specifically tailored to your needs: Blocking Greedy Clients.
I'm sure this could easily be modified to suit your purpose.
--twerq | [reply] |
You should be aware that any such "protection" makes for
an easy DoS attack. If I don't like you, I'll just repeatedly
try to log in using your name. The "protection script" kicks
in, and you will be denied access later on.
Using an IP number doesn't prevent the DoS attack, as there's
little relation between a user and the IP address. I'm typing
this from a company with about 50,000 employees - just in this
country, a multitude of them worldwide. And they all use a
small set of proxies. There isn't even one located in the
country I'm typing this in.
Abigail | [reply] |
I think that the goal of the OP was to deny access from a certain IP due to a suspected brute-force password cracker. In which case there is a strong connection between username and IP -- the username is being cracked from a specific IP.
In which case, it is wise to block that IP's access for a length of time. Seems to me that blocking specific known malicious IPs is standard, effective firewalling practice.
And last, a DoS attack is always easy, and always possible. It's like vandilism in a way. . . but the methods you have described would be foiled by the OP's solution.
If you repeatedly try to log in, you will be denied access. Wasn't that the objective?
--twerq
| [reply] |