[Catalyst] Rate limiting password attacks

[Carl Johnstone]

>    Also considered issuing a redirect to a simple server that will delay
>    the number of failed attempts seconds before redirecting back to the
>    login page. Any smart attacker would get clued about this an not
>    follow that redirect.  Fun anyways, though. ;)

As I just said in the other email, you could use perlbal and not send the 
redirect directly to the client - but to your perlbal proxy, which then 
requests a delay from your stripped http server, which then sends the real 
response.

Carl