4

I have password protected my /www root using a .htaccess and .htpasswd file and now I was wondering if it is possible to login invalid authentication attempts. My first though was that both successful and invalid attempts, including supplied password would be logged into /var/log/apache2/error_log but it seems like only the username is logged into this file.

My server is running apache 2.2.21 on osx 10.7.4.

Cyclonecode
  • 150
  • 1
  • 1
  • 12
  • 8
    Failed passwords are not logged, because it's not a good security practice. If passwords were logged, every time you mistyped your username, your password would be stored in cleartext in your logs. – mricon Dec 25 '12 at 15:25
  • @mricon - yes, I understand and agree, but the question remains is there a way to trap all failed login attempts storing both the supplied username and password. – Cyclonecode Dec 25 '12 at 19:41

3 Answers3

8

Why do you want to do this? As mricon has noted, logging passwords in clear text is highly discouraged, even for debugging.

mod_security might be used in a way that fits your whishes, by logging HTTP headers. Passwords aren't transmitted in clear text by the browser though, so you must decode the Base64 encoded sequence.

See directives SecAuditLog and SecAuditLogParts here.

Perhaps this is more fitting for your goals: Protect HTTP Auth from brute force attacks

fuero
  • 9,591
  • 1
  • 35
  • 40
  • I agree. Logging supplied passwords is an extremely poor security decision unless you are trying to nefariously steal passwords which doesn't need to be discussed. – colechristensen Feb 04 '13 at 23:00
  • 1
    @colechristensen - I was interested in doing this because I noticed I had a lot of login attempts on my server and I wanted to see what kind of username/password combinations they were using (just of curiosity) – Cyclonecode Oct 03 '13 at 15:09
4

I searched the web and stumbled upon a good explaination on how to achive this.

First the .htaccess file:

# script that will store invalid login attempts
ErrorDocument 401 /logging.php

AuthName "My Password Protected Site"
AuthUserFile /<FULLPATH>/.htpasswd
AuthType Basic
Require valid-user

# Set REMOTE_USER env variable on 401 ErrorDocument
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$
RewriteRule .* - [E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]

Then the actual script that will do the logging:

if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])):
    $fp = fopen(MYLOGFILE, 'a+');
    $password = $_SERVER['PHP_AUTH_PW'];
    $username = $_SERVER['PHP_AUTH_USER'];
    $time = date('y-m-d/H:i:s');
    $request = $_SERVER['REDIRECT_URL'];
    fwrite($fp, $time . "\t" . $request . "\t" . $username . "/" . $password . "\r\n");
    fclose($fp);
endif;

ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you are authorized to 
 access the document
 requested.  Either you supplied the wrong
 credentials (e.g., bad password), or your
 browser doesn\'t understand how to supply
 the credentials required . </p>';
exit();

The above workes just fine, and stores all invalid usernames and passwords in the specified logfile. I didn't get the example below to work, but it gave me some ideas on how to proceed.

Each line in the output file will hold something like this:

 13-01-01/12:12:16 - /www/ - username/password

Log all .htaccess/.htpasswd logins

Cyclonecode
  • 150
  • 1
  • 1
  • 12
  • 1
    Interesting solution. Does it work? Now don't go and get yourself hacked and spill all the passwords into the open. – Stefan Lasiewski Feb 04 '13 at 23:12
  • @StefanLasiewski - No it didn't work right out of the box, but perhaps I did something wrong implementing it. The above solution works though and is very much alike the one in the article. – Cyclonecode Feb 05 '13 at 18:56
  • 1
    I can confirm the above works with Apache 2.4.6. Sometimes this is necessary to debug http auth issues... – Mahn Oct 03 '13 at 13:34
2

My apache2 installtion have such log messages about failed attempts:

 access to / failed, reason: verification of user id 'qwdsad' not configured

You could install fail2ban to grep these messages from logs and do something to prevent it.

dr-evil
  • 377
  • 1
  • 5
  • What is the name of the log file? `/var/log/apache2/access_log`? Is the password used also stored in the log, I want to be able to trap both the username and the used password. – Cyclonecode Dec 25 '12 at 19:43
  • In my case - log is error_log. Used password logging is unusual case, and I never need it. – dr-evil Dec 26 '12 at 08:23