 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Thanks Tom, you've made a very good point. Tom Metro wrote: > Stephen Adler wrote: >> ...from what I can tell mod_auth_pam is not an official apache >> module, but a 3rd party one. >> I'm wondering how secure these 3rd party modules are... > ... >> I think the deal is to restrict http access to https or ssl. Then the >> username password are encrypted. > > It should be noted that one of the reasons why it generally isn't > recommended to use something like mod_auth_pam authentication, even > with SSL, is that unlike sshd and other shell login mechanisms, there > is no limit on the speed or quantity of login attempts (unless they've > fixed this in recent years), which can leave your machine vulnerable > to brute force attacks, or even with strong passwords, the > denial-of-service side effects of such attacks. > > If access to the web server isn't inherently limited to a LAN, you > should consider limiting access (via Apache or a software or hardware > firewall) to a specific network or set of IPs. > > -Tom >
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
