Re: Web Authentication



Hi there... do you know some software or exploit or whatever which can
make a brute force attack to htaccess? i just want to see how it works
or if there is some web site with more detailed information about this
kind of attack (brute force) ...actually i know how its work when you
try to compromise some work station but i never knew how it works with
htaccess. Thanks all

On 7/27/06, Florian Streck <streck@xxxxxxxxxxx> wrote:
On Mon, Jul 24, 2006 at 10:54:46AM +0300, Maxim Kostyukov wrote:
> What exactly you want to achieve by doing "better web authentication"?
> In you case, what are those weaknesses with htpasswd scheme?

Well the problem with htaccess is that there is no mechanism that
checks for the number of trials or failures.
So you can brute-force your way in.

>
> I am asking because it is almost impossible to answer your question
> without additional info.
>
> ----- Original Message -----
> From: "pimp mastermind" <gbchustla@xxxxxxxxx>
> To: <security-basics@xxxxxxxxxxxxxxxxx>
> Sent: Thursday, July 20, 2006 7:36 AM
> Subject: Web Authentication
>
>
> >I have Slackware 10.1 runing. I am using it as a router and
> >fileserver. I use Apache 1.3 for web access. I have some web
> >directories which i want to secure more strongly than with htpasswd
> >but i dont know any other ways of authentication. Also a lot of my
> >scripts in those directories are wirted in PHP Perl and CGI scripting.
> >I need to find a better way of authentication? Does any one knows any
> >better way of authentication?
> >Thank you all in advance for your help
>

You could for example write a script that checks the logfiles for failed access
attempts and if there are to many restrict the access permissions for
the directories.
Otherwise you have to use scripts that provide the content of the
directories.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEyJFrIXCBARCXXgwRAtD+AKCBShe/vqtLI2nEh08sLJLeKZRPggCcCJx7
0UHI6UBCVP4mo7fNdm479Es=
=/Vzg
-----END PGP SIGNATURE-----




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • Re: Web Authentication
    ... Please use such programs only if you have a permission from the ... make a brute force attack to htaccess? ... but i dont know any other ways of authentication. ... scripts in those directories are wirted in PHP Perl and CGI scripting. ...
    (Security-Basics)
  • Re: Web Authentication
    ... what are those weaknesses with htpasswd scheme? ... Well the problem with htaccess is that there is no mechanism that ... but i dont know any other ways of authentication. ... scripts in those directories are wirted in PHP Perl and CGI scripting. ...
    (Security-Basics)
  • Re: Vendor specific authentication protocol
    ... Why would you want to exchange text before the authentication phase rather ... >>>using these .scp dial up scripts which are used for automatical login. ... What the chat script for linux are the .scp scripts ... i don't find that possibility with .scp scripts. ...
    (comp.protocols.ppp)
  • Re: GP Logon Script Fails on Wireless XP Clients
    ... logoff and it runs on the wireless clients when they ... Run startup scripts asynchronously ... Slow network connection timeout for user profiles ... >What options do you have set on the Authentication Tab ...
    (microsoft.public.win2000.group_policy)
  • Re: Using .htaccess for HTTP authentication.
    ... I have a request from my friend to help him in using an .htaccess based ... which is already setup to protect a directory on the server ... Basically he wants to force the authentication through a form that users ... can input their login information and checked against what they have ...
    (alt.php)