.htaccess brute forcing

[Hondy]

It seems .htaccess is not a good method to protect directories from intruders because you cant lock out the account.

I would like to know however if I can un-hash a failed attempt from the logs? I think i read somewhere that the passsword is hashed one-way. In my mod_security logs I can see that someone ran an automated script at it, i can see the hash in the logs but I wondered if there is a way to look at the real passwords they are trying. I understand its probably from a dictionary or a character based barrage but I just wondered out of interest, can you un-hash the attempt? I realise there's not much point in knowing but I was just interested. I also understand it could be a worm etc, i'm just poking about at the mo.

Cheers

 

[RhythmAce]

Webservers by there very nature make it hard to prevent brute force attacks. It is easy on other servers because they rquire a login and you can limit the amount of attempts before they are locked out. Http attacks however are hard to stop. You can protect webpages with scripts but brute force attacks against .htaccess is another story. I did a quick search on this so I would have to rewite a book if there was one already written. I came across this article. It is a little old but it shows how you can harden your server against these types of attacks.

http://www.securityfocus.com/infocus/1368