Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Stephen Adler wrote: > ...from what I can tell mod_auth_pam is not an official apache > module, but a 3rd party one. > I'm wondering how secure these 3rd party modules are... ... > I think the deal is to restrict http access to https or ssl. Then the > username password are encrypted. It should be noted that one of the reasons why it generally isn't recommended to use something like mod_auth_pam authentication, even with SSL, is that unlike sshd and other shell login mechanisms, there is no limit on the speed or quantity of login attempts (unless they've fixed this in recent years), which can leave your machine vulnerable to brute force attacks, or even with strong passwords, the denial-of-service side effects of such attacks. If access to the web server isn't inherently limited to a LAN, you should consider limiting access (via Apache or a software or hardware firewall) to a specific network or set of IPs. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |