Thread: advanced Apache authorization: updates triggered by select?
Hi boys (and girls)? Authorization to web contents can be eaysily done with some Apache modules like mod_auth_pgsql (I wrote a little summary some time ago on http://bluebell.marzen.de/mod_auth_pgsql/). But what if we need some kind of protection agains brute force attacks? The modules are usually designed to do only selects. Is it possible to write some kind of magic that updates the same or another table at the same time? For every select there should automagically the following logic be triggered: - If userid/password is correct then set a counter for this userid to zero. - If userid/password is not correct then increment the counter for this userid. That should be enough because the password check could include something like "and counter <= 5". Any ideas? -- PGP/GPG Key-ID: http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xB5A1AFE1
Holger Marzen wrote: > > Hi boys (and girls)? > > Authorization to web contents can be eaysily done with some Apache > modules like mod_auth_pgsql (I wrote a little summary some time ago on > http://bluebell.marzen.de/mod_auth_pgsql/). > > But what if we need some kind of protection agains brute force attacks? > The modules are usually designed to do only selects. Is it possible to > write some kind of magic that updates the same or another table at the > same time? > > For every select there should automagically the following logic be > triggered: > > - If userid/password is correct then set a counter for this userid to > zero. > > - If userid/password is not correct then increment the counter for this > userid. > > That should be enough because the password check could include something > like "and counter <= 5". > > Any ideas? Don't do the SELECT directly from the module, but call a stored procedure instead that does the entire check and returns a boolean. If this thing is called with enough information (not only user and pass), it can do all kinds of things, like restricting certain users to certain times, coming from specific IP's, whatnot. And a site administrator could relatively easy customize that thing. All he needs is a bit knowledge about PL/pgSQL - and who hasn't? Jan -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== JanWieck@Yahoo.com #
On Tuesday 17 Sep 2002 3:44 pm, Holger Marzen wrote: > Hi boys (and girls)? > > Authorization to web contents can be eaysily done with some Apache > modules like mod_auth_pgsql (I wrote a little summary some time ago on > http://bluebell.marzen.de/mod_auth_pgsql/). > > But what if we need some kind of protection agains brute force attacks? > The modules are usually designed to do only selects. Is it possible to > write some kind of magic that updates the same or another table at the > same time? > - If userid/password is correct then set a counter for this userid to > zero. > - If userid/password is not correct then increment the counter for this > userid. You'll want to write a plpgsql function so you can do: SELECT check_password('user','password'); Then in check_password you can do your counting. See the Programmers Guide pt III and http://techdocs.postgresql.org/ for help on writing functions. Ideally, you could do this with a view and a SELECT rule, but SELECT rules seem to only allow a single action and that has to be a SELECT. HTH - Richard Huxton