[CentOS] Securing http authentication from brute force attacks

Mon Jan 11 15:59:53 UTC 2010
James B. Byrne <byrnejb at harte-lyne.ca>

We have several web applications deployed under Apache that require
a user id / password authentication.  Some of these use htdigest and
others use the application itself.

Recently we have experienced several brute force attacks against
some of these services which have been dealt with for the nonce by
changes to iptables.  However, I am not convinced that these changes
are the answer.

Therefore I have been looking at http protection and have run across
a few independently provided modules for Apache http security,
mod_security being one of them.

I would like the opinion of other CentOS sysadmins who already have
faced this same problem, with respect to the solutions available and
those that they choose for themselves.

Sincerely,



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3