.htaccess alternative
 

Is their anything else better than .htaccess and a .htpasswd file?

I just got nine Pennywize blocked accounts in the last hour, that's over 40 breached accounts in the last 3 weeks!

I use forced random password so they can't be brute forcing, I just don't know how they are doing it!

Bastards are killing me!:BangBang:

make a login/pass form with a random verification code in a gif file on each load generated by PHP or other language.

I dunno if it has ever been done for paysites, but it would work to discourage password crackers :)

We use a token based authentication system based on perl accessing a mysql database. Brute force attacks are hard to carry off on our system, although sometimes they do get lucky. If you an individual ip address has too many login attempts in a given period of time, that ip is blocked temporarily. If a given username has too many login attempts in a given period of time, that username is blocked temporarily. Only one person can be logged in to the site at a time, if another person logs in, the first person is logged out. If there are too many different ip address ranges on a username, the password is changed and the owner is notified by email. We've thought about making the surfer enter a code with their login from a graphic (ala paypal / overture / etc) but we haven't done that yet. There's a lot you can do, but it takes a bit of custom coding.

Thanks guys, but all my passwords are 7 digit random generated so I don't see how they could be brute forcing their way in.

I really don't get that many hits either so it doesn't point towards brute force, its like they can get at my .htpasswd file or they're fucking with my billing processor's cgi directly - really weird and bloody annoying.

G

If you process with CCBill, then that might be the answer. Many people report a weakness in the CCbill cgi script with passwords being added at will.

I trust your .htpasswd file is not in a location where it is readable via the web.

Try to change the names of the cgi script, the password script, password files. Put all data on a non-web accessible folder ( mine are on a partition " T" ). This way, hackers that know the normasl parameters of protection will be fucked ...

even so... apache defualts block access to files starting with .ht

Never assume someone is using the default config. He also might be using something other than apache.

Isn't htaccess an apache thing?

A few other webservers use the .htaccess format. For example:
Roxen
Zeus

Also, the venerable NCSA httpd uses them as well, although you could argue that it became apache.

Thanks for all your comments guys:

Ludedude - I process with GloBill and I've never heard of any problems with this, plus my cgi-bin dir is not browsable and its not called globill.cgi or anything obvious like that (random digits), so how could they find it?

Netrodent - .htpasswd is not browsable from the web I just tried and got a 404 plus its not called ".htpasswd" its again random digits.

Direct Fiesta - I agree and have always called all my important files and cgi's by random digit combinations.

This is was it so god damn annoying about the whole thing - if it was Brute Force or poor setup I'd understand and accept but something else is going on here and I just don't know what :(

What's interesting is that after I have logged in to the members area I can view the .htaccess file, its currently CHMOD to 644, I've tried lower permissions but then it doesn't work.

It just seems daft because they can immediately find the location of my .htpasswd file from this.

Would a my_sql DB be more secure than .htpasswd?