From owner-freebsd-isp Wed Apr 7 12:43:35 1999 Delivered-To: freebsd-isp@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id 2134314BE6 for ; Wed, 7 Apr 1999 12:43:33 -0700 (PDT) (envelope-from freebsd@deepwell.com) Received: (qmail 1889 invoked from network); 7 Apr 1999 20:16:43 -0000 Received: from attybb.bleier.com (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 7 Apr 1999 20:16:43 -0000 Message-Id: <4.1.19990408123628.012aec70@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 08 Apr 1999 12:40:05 -0700 To: Ryan Mooney From: Deepwell Internet Subject: Apache users file (was Re: Web Based Script) Cc: freebsd-isp@freebsd.org In-Reply-To: <199904071840.LAA11203@pcslink.com> References: <370B9C55.A7CE4059@eclipse.net.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After reading the doc on apache.org I see you can use /etc/passwd for authentication, and I understand the reasons why not to. How would you go about doing this under FreeBSD? The passwords are shadowed into master.passwd and they also exist in a .db file. I wouldn't want to raise the permissions of httpd, and I don't want to open hte shadow file to everyone. At 11:40 AM 4/7/99 -0700, you wrote: > >> > Yes but "clever hacker"(TM) can run multiple requests >> > in parrallel for either one which basically renders the >> > whole delay thing of questionable value. >> >> ahhh - if you are running from inetd then POP is better in that respect >> as you can limit the number of connections per IP address, > >Good point. > >> in *that* case, then that is something httpd coders might want to think >> about (only on unauthenticated or bad attempts to login to a >> password-protected server). > >Not a bad idea, this would slow down unfreindly robots too... Maybe >some kind of threshold where if you see more than N requests/Y time >you start inserting gradually increasing delays until the requests/Y >fall below N (sort of like the thttpd traffic shaping, but more dynamic). >This could really help a lot of services like that... Some sort of >persistent pop daemon (not qpopper :) that understood connection limiting >could help the "connect every minute" weenies, does cuici (sp?) pop do >that? > >> still not ideal, because "clever hacker" >> could be changing the source to any of > virtual servers on some machine "clever hacker" has owned> IP addresses, >> but it does make it a bit more tricky for them. > >Yeah, I've always believed in "good enough" security, you make your >stuff hard enough to get into that they go bother someone else (of >course the bar keeps getting raised). > >> as you say, if Joe Luser knew what an ssl client cert was ... :) > >>-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-< >Ryan Mooney Phone (602)265-9188 PCSLink >ryan@pcslink.com Internet Services > NT is an excellent choice for managers who need to show that they used > up their fiscal year budget for hardware/software expenditures. ><-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=-> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message