Security – Log invalid login attempts – htpasswd

apache-2.2htpasswdSecurity

I have password protected my /www root using a .htaccess and .htpasswd file and now I was wondering if it is possible to login invalid authentication attempts. My first though was that both successful and invalid attempts, including supplied password would be logged into /var/log/apache2/error_log but it seems like only the username is logged into this file.

My server is running apache 2.2.21 on osx 10.7.4.

Best Answer

Why do you want to do this? As mricon has noted, logging passwords in clear text is highly discouraged, even for debugging.

mod_security might be used in a way that fits your whishes, by logging HTTP headers. Passwords aren't transmitted in clear text by the browser though, so you must decode the Base64 encoded sequence.

See directives SecAuditLog and SecAuditLogParts here.

Perhaps this is more fitting for your goals: Protect HTTP Auth from brute force attacks

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Apache .htaccess error: ‘not allowed here’ on Debian Wheezy

The Apache Directory directive on /var/www/ninja/www/ only allows modification of the behaviour of FileInfo Indexes by way of the .htaccess file. Refer to the Apache documentation on AllowOverride.

Please modify the AllowOverride to also allow the local configuration of AuthConfig resulting in:

<Directory /var/www/ninja/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride FileInfo Indexes Authconfig
</Directory>

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Apache .htaccess error: ‘not allowed here’ on Debian Wheezy

Related Topic