Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

apache authentication via nis



Thanks Tom, you've made a very good point.

Tom Metro wrote:
> Stephen Adler wrote:
>> ...from what I can tell mod_auth_pam is not an official apache
>> module, but a 3rd party one.
>> I'm wondering how secure these 3rd party modules are...
> ...
>> I think the deal is to restrict http access to https or ssl. Then the 
>> username password are encrypted.
>
> It should be noted that one of the reasons why it generally isn't 
> recommended to use something like mod_auth_pam authentication, even 
> with SSL, is that unlike sshd and other shell login mechanisms, there 
> is no limit on the speed or quantity of login attempts (unless they've 
> fixed this in recent years), which can leave your machine vulnerable 
> to brute force attacks, or even with strong passwords, the 
> denial-of-service side effects of such attacks.
>
> If access to the web server isn't inherently limited to a LAN, you 
> should consider limiting access (via Apache or a software or hardware 
> firewall) to a specific network or set of IPs.
>
>  -Tom
>





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org