Mitigate brute force attacks on login page

[eluser]skunkbad[/eluser]
[quote author="CroNiX" date="1334950748"]If you did something like that I would make it a feature that can be turned on/off with an additional option to set the name (and path) of the .htaccess file. Not all hosts allow htaccess (most do) and some others even change the name of ".htaccess" to something else in the apache config (assuming they are using apache). If having .htaccess is a requirement for using community auth (a very nice app, BTW), then obviously this doesn't matter.[/quote]

Hey, thanks. Community Auth works 100% without .htaccess. I do like your ideas, and I have a few of my own. I'm going to have an Admin interface because I want them to be able able to add IPs to the banned list manually, and remove IPs if they need to. I wasn't aware of the issue with renaming .htaccess, and that the path could vary, which is good to know. Because of the way Community Auth logs in users, there really isn't ever a time when a real user would be able to submit the login form after being locked out, so my idea would be to instantly ban (for X amount of hours) any IP address that is associated with such a submission. I'm probably going to have to set up some sort of cron to check the dates of the banned IPs so that IPs can be released from being banned. Those are my initial thoughts. I'll probably start working on this in the next day or so.