[Solved] Limiting password attempts in lighttpd
Added by graysky almost 9 years ago
I recently began playing with lighttpd and am using password protection for the server.
Goal: limit the number of failed attempts to 3 natively (ie within lighttpd).
Question: Is this possible or do I need a 3rd party util iike fail2ban?
For reference:
/etc/lighttpd/lighttpd.conf
server.port = 80
server.username = "http"
server.groupname = "http"
server.document-root = "/srv/http/test"
server.modules = (
"mod_access",
"mod_accesslog",
"mod_auth",
)
auth.debug = 2
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/lighttpd.user"
auth.require = ( "/" =>
(
"method" => "basic",
"realm" => "edited for this post",
"require" => "user=edited for this post"
)
)
server.errorlog = "/var/log/lighttpd/error.log"
accesslog.filename = "/var/log/lighttpd/access.log"
#dir-listing.activate = "enable"
index-file.names = ( "index.html" )
mimetype.assign = (
".html" => "text/html",
".txt" => "text/plain",
".css" => "text/css",
".js" => "application/x-javascript",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".gif" => "image/gif",
".png" => "image/png",
"" => "application/octet-stream"
)
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/Certs/local.pem"
}
Replies (2)
RE: Limiting password attempts in lighttpd - Added by gstrauss almost 9 years ago
Goal: limit the number of failed attempts to 3 natively (ie within lighttpd).
Question: Is this possible or do I need a 3rd party util iike fail2ban?
To some extent, this is possible with centralized backends that apply a password policy, e.g. LDAP.
However, since there are so many more advanced ways to detect and respond to threats across multiple requests, e.g. lots of failures for different usernames from the same IP, fail2ban is one good solution which lets you configure what actions to take.
RE: Limiting password attempts in lighttpd - Added by graysky almost 9 years ago
Thanks. I will give f2b a try.