tosh has asked for the wisdom of the Perl Monks concerning the following question:

Okay...

I'm using AuthDBI as authentication handler, but now I would like to modify AuthDBI so it can block brute force password attacks.

A simple approach would be to take the IP address of the incoming connection insert it into a database then do a: "select count(id) from access_log where IP = $ENV{REMOTE_ADDR} AND timestamped (last 10 minutes)" and block the access according to whatever rules...

The problem seems to be getting $ENV{REMOTE_ADDR}. I've read some old posts by Doug MacEachern where he states that mod_env isn't available during the authentication stage.

Has this situation changed recently? Is there a way to get the IP address from the $r handler, or is there another way to secure against brute force password attacks while still using DBI to authenticate?

Thanks!!!

Tosh
  • Comment on Apache::AuthDBI, environment variables and brute force

Replies are listed 'Best First'.
Re: Apache::AuthDBI, environment variables and brute force
by davis (Vicar) on Nov 10, 2003 at 12:36 UTC

    According to my mod_perl quick reference card (reproduced verbatim): 

    $c = $r->connection;
$addr = $c->remote_addr( [$addr] );
$str  = $c->remote_host();
$str  = $c->remote_ip( [$ip] );

    [download]
    This is provided by the Apache::Connection class, although this documentation appears to contain what you want.

    Hope that helps


    davis
    It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.
[reply]
[d/l]

Back to Seekers of Perl Wisdom