> I can sit on the view list info page and hack all day long.  There is no
> logging, no security policy.

You need to turn on logging on your Web server.  You can also probably
restrict access with certain directives.

> Hmmmmm...... sounds like someone works for microsoft   8^)

It's possible to have the CGI keep a running total of failed attempts, but
the question is how to tell whether or not they're from the same source.
Do you send a cookie to identify them?  Use their IP address?  These are
all easily spoofable "solutions", and probably one of the greater flaws
with Web-based authentication -- you can just brute force it.

I suppose the most extensible solution is to send failure notices to syslog
and count on the admin to notice these with Logcheck, swatch, or whatever.
An automated process can then do whatever (drop routes for the paranoid, etc.)

Anyone else have any comments (Wietse ? :)

Chris