http basic authentication - maximum allowed trial times?

Question

Hi all:

I am working on a login section for a new project, which definitely requires user authentication.

The easiest way of doing that I assume would be using the http basic authentication. I implemented it fine on the Apache server, ssl was also intorudced to provide better security.

However, one thing concerns me, that it seems the basic authentication wouldn't stop no matter how many times a user failed to provide a valid username/password crentential. It would just keep asking...

I reckon, since each time the web server receives the credential, it needs to go through the password file to look up whether a match exists or not, it takes a certain amount of server resources. My question is, would this be a security risk of having DoS attack by malicious users?

If so, how can I stop this? By adding some configuration/feature onto the Apache? Or just swap to some other authentication method? Digest Authencation?

Many thanks to the advices in advance.

Answer 1

Step 1: Read this: http://en.wikipedia.org/wiki/Denial-of-service_attack#Prevention_and_response

Step 2: Implement this. Create a set of counters indexed by IP address. Each failure from an IP address increases the counter. The counter is the sleep time -- in seconds. 10 failed attempts means 10 seconds for the 401 response.

Answer 2

Handle the http authentication yourself, keep a count on amount of logins based on ip address (over a given time), and then just return 401 if the limits are reached.

mod_perl 2.0: http://perl.apache.org/docs/2.0/user/handlers/http.html#toc_PerlAuthenHandler

mod_php: http://no.php.net/manual/en/features.http-auth.php

mod_python: http://www.modpython.org/live/mod_python-3.2.8/doc-html/tut-more-complicated.html