pfSense: pfSense-SA-17_06.webgui: Brute force login protection weakness in the WebGUI

Malicious clients attempting to repeatedly authenticate to the pfSense WebGUI
are added to a lockout table which prevents new connections. Existing
connections are not dropped, however, so if a browser or malicious client holds
open an existing connection and continues to send requests, those attempts are
not stopped.

Due to the connections not being dropped, a malicious client can send numerous
brute force login attempts beyond the expected cut-off limit. If firewall
accounts have weak passwords, an attacker could potentially gain access.

This problem does not affect ssh logins in the same way because the ssh daemon
itself will terminate a connection after repeated failures, and due to the
lockout table, a malicious client will not be able to reconnect to send
additional attempts once that happens.