From owner-freebsd-isp Thu Apr 1 6:19:25 1999 Delivered-To: freebsd-isp@freebsd.org Received: from aniwa.sky (p53-max12.wlg.ihug.co.nz [216.100.145.53]) by hub.freebsd.org (Postfix) with ESMTP id 6A04814F5B for ; Thu, 1 Apr 1999 06:19:06 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id CAA03157; Fri, 2 Apr 1999 02:17:46 +1200 (NZST) Message-Id: <199904011417.CAA03157@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: "Song, Bo Run" Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Web Based Script In-reply-to: Your message of "Tue, 30 Mar 1999 17:00:13 +0800." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 02 Apr 1999 02:17:45 +1200 From: Andrew McNaughton Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I had written a PHP3 Radius authentication function. It can be used to > do user authentication. Combined with a detail-to-Mysql perl script ( > run in crontab), we used it to provide a web interface of customer > usage query. > > To prevent password guessing attack, a sleep() should be put into > the PHP3 script. This assumes that the password attack script makes attacks in series. If it runs multiple queries in parallel, then your sleep() function will not slow them down much, but will increase the impact on your server of running a lot of CGI calls in a short space of time. It's analagous to attacks on sendmail using RCPT to check for valid mail addresses. See bugtraq articles last month for that discussion. Andrew McNaughton -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message