Why not track IP instead of user name in failed attempts? e.g. Lock out IP
www.xxx.yyy.zzz for an hour if it makes 6 successive bad attempts?
I realize the attacker could change his IP, but that takes time.
I realize that two people can share an IP (e.g. proxy users), it opens for
the possibility of locking out a legitmiate user by an attacker (DoS) if
they are on the same proxy, but that might be acceptable. I also set the
count a bit higher ('6' instead of '3') to compensate for multiple users
trying to login from the same proxy.
Of course, adding a "sleep(5)" before returning a message saying the
attack failed would help too.
ELB
--
Eric L. Brine | Chicken: The egg's way of making more eggs.
[EMAIL PROTECTED] | Do you always hit the nail on the thumb?
ICQ# 4629314 | An optimist thinks thorn bushes have roses.
