How to limit login attempts to Subversion?
mod_dav_svn
has an extensive logging feature. Combine this with Fail2ban and you should be able to intercept brute-force login attempts.
You can do that in LDAP itself, if it supports the password policy IETF draft. (OpenLDAP does.) Just set the standard policy's pwdLockout
attribute to true
, pwdMaxFailure
to a non-zero value, say 3 in your case, and pwdLockoutDuration
to however many seconds you want the lockout to be, say 300, whatever you think is long enough to deter bots without annoying the hell out of real users.