We have bunches of web applications which use the regular Apache login protection, and they won't run unless REMOTE_USER is set by the Apache login.
<Limit GET> require valid-user </Limit> <Limit POST PUT DELETE> require valid-user </Limit> AuthName O-Visitor AuthUserFile /usr/appl/cgi/.htpasswd AuthType Basic Looking at improving security, it would seem that it would be much harder to conduct brute-force attacks on these systems if we could configure Apache login to do two things: A. Present the CAPTCHA style validation prompt as part of the login, to make it difficult for scripted attacks to proceed; B. Lockout an individual username in the .htpasswd file after X failed login attempts. Are there flavors of linux apache which have modules to provide this? Neal Rhodes MNOP Ltd