I have password protected my /www root using a .htaccess
and .htpasswd
file and now I was wondering if it is possible to login invalid authentication attempts. My first though was that both successful and invalid attempts, including supplied password would be logged into /var/log/apache2/error_log
but it seems like only the username is logged into this file.
My server is running apache 2.2.21
on osx 10.7.4
.
Best Answer
Why do you want to do this? As mricon has noted, logging passwords in clear text is highly discouraged, even for debugging.
mod_security
might be used in a way that fits your whishes, by logging HTTP headers. Passwords aren't transmitted in clear text by the browser though, so you must decode the Base64 encoded sequence.See directives
SecAuditLog
andSecAuditLogParts
here.Perhaps this is more fitting for your goals: Protect HTTP Auth from brute force attacks