I have a htaccess and htpasswd , when I enter the page it opens the alert to enter the username and password. Everything works OK.
What validation should I do to limit the number of times a user can place the username and password combination.
I want you to make an error the third time I enter it wrong.
My .htaccess has the form
AuthType Basic
AuthName "Por favor ingresa tu codigo y clave"
AuthUserFile /etc/httpd/.htpasswd
require valid-user
Searching on the subject (not verified), you can control it with the module modsecurity
If your server does not have it enabled by default, How to install and configure modsecurity
Try the following code that establishes 3 failed attempts for each unique IP, if it fails in more than 3 attempts, the IP will be blocked for 10 minutes.
<LocationMatch /sessions>
# Uncomment to troubleshoot
#SecDebugLogLevel 9
#SecDebugLog /tmp/troubleshooting.log
# Enforce an existing IP address block
SecRule IP:bf_block "@eq 1" \
"phase:2,deny,\
msg:'IP address blocked because of suspected brute-force attack'"
# Check that this is a POST
SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,nolog,pass"
# AND Check for authentication failure and increment counters
# NOTE this is for a Rails application, you probably need to customize this
SecRule RESPONSE_STATUS "^200" \
"setvar:IP.bf_counter=+1"
# Check for too many failures from a single IP address. Block for 10 minutes.
SecRule IP:bf_counter "@ge 3" \
"phase:5,pass,t:none, \
setvar:IP.bf_block,\
setvar:!IP.bf_counter,\
expirevar:IP.bf_block=600"
Personalization:
You can specify access attempts before the IP is blocked.
SecRule IP:bf_counter "@ge 3" \
and the blocking time in seconds (600 seconds = 10 minutes)
expirevar:IP.bf_block=600
Excerpted from: Brute Force Authentication Protection with ModSecurity (English)
You can not ( ref ). And normally it's not worth it. In general, the same browser is responsible for limiting the number of retries.