.htaccess

[Warren Togami]

Normal http auth is fairly easy to brute force crack if the attacker knows
the login name.  This is because http auth doesn't disallow connection after
a certain number of failures, and login attempts can be done at rapid
succession.  One simple method of making this harder to crack is to hide
your .htpassword file like Ray suggests, then edit it manually.  Change the
login name to something strange with uppercase, lowercase and space
characters.  htpasswd (the executable) wont allow this, but editing the file
manually works.

----- Original Message -----
From: "Ray Strode" <halfline at hawaii.rr.com>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Sunday, April 29, 2001 11:35 AM
Subject: [luau] RE: .htaccess


> > and ran the htpasswd program to create .htpassword in the same dir
> > as the root html files.  Its as if the server doesn't see them because
> > a pass prompt never comes up and I can get right to the pages, I've been
> > to several "tutorial" pages but apparently I've missed something.  I'm
> > using redhat 7.1, any ideas?
> Firstly, don't put your .htpassword file anywhere under the document root,
> if someone gets access to it, they can easily brute force on there own
> computer until they find the password without your logs knowing anything.
> Secondly, what does
> cat /etc/httpd/conf/httpd.conf | grep AuthType
> list?
>
> --Ray