general.chaos wrote:I would like it to "ban" you after 3-5 wrong tries in a certain time frame.
That does not answer the question. What do you mean by "you" when you say "ban you"? How will you identify the client? How can you be sure, that really the same guy trys more than 3 times? Assume, two guys are sitting in the same LAN behind the same server and unfortunately they both try to login to your site at the same time. Both requests have the same public IP of the router - how will you (or Apache) decide, who trys wrong three times in a row. Who is it?
Or assume, there is huge Internet Proxy, many people are using this Proxy, all of them are having the same IP (the IP of the proxy). How can you identify, that one and the same user is going to fail 3 times in a row?
What is the criteria for Apache to find out, that a user/browser fails to login three times in a row? And what should happen after? The IP gets "blacklisted"? My neighbour fails to login and I will be blacklisted, due to the fact that we use the same router?