additonal protection with httpasswd

[tvone]

Hi,

is it possible to enable a password authentication (Apache config), before being redirect to the main login page ? Only for External access

regards

[phoenix]

Quote:

Originally Posted by tvone

is it possible to enable a password authentication (Apache config), before being redirect to the main login page ? Only for External access

Why would you want to make a user login twice to get to their email account?

[tvone]

Hi Bill,

thanks for your reply.

Our Zimbra Mail Server(http Login page) is reachable from WAN (via DNS or IP). I had in mind that it would be more safe to ask for a additional password before you get access to the main mail login page. Simply to filter bruteforce-attacks or things like that. For all other employees which come via internal network will get directly to the login page .

Regards

[phoenix]

Quote:

Originally Posted by tvone

Our Zimbra Mail Server(http Login page) is reachable from WAN (via DNS or IP). I had in mind that it would be more safe to ask for a additional password before you get access to the main mail login page. Simply to filter bruteforce-attacks or things like that. For all other employees which come via internal network will get directly to the login page .

Then why not implement a strong password policy (you can do that in the Admin UI) and/or something like fail2ban if you're concerned about brute force attacks? just adding two login pages doesn't really make you more secure unless you do something about what happens if a login fails or is apparently an 'attack'.

[tvone]

Hi,

fail2ban is a good tool and i think i will use it. The second point is, with an additional query you will not see the page immediately. And that means you have no oportunity to exploit security gaps in java, javascript,mysql etc. Because you will intercepted these previously. Correct me if i'm wrong