Logging user names for password protected sites

Logging user names for password protected sites

Post by Keith Obo » Thu, 02 Apr 1998 04:00:00



I've been asked to log user names that are hitting password-protected areas of
our site. The protection is by htaccess, with multiple users. Servers are Apache.

Looking at the logs, when an attempt is made, a line:

195.129.28.130 - - [01/Apr/1998:13:35:18 +0100] "GET /service/roaming/tknumbers/index.html HTTP/1.0" 401 350

is logged BEFORE the htaccess verification. Then, when the user gives a username
and password, a second line is logged:

195.129.28.130 - keith [01/Apr/1998:13:35:25 +0100] "GET /service/roaming/tknumbers/index.html HTTP/1.0" 401 350

That looks simple - just look for lines with the right GET path and a
non-blank username.

BUT, if the user gives an incorrect password, exactly the same things happen. So
we can't distinguish between accepted and rejected attempts!

Does anyone have any suggestions? Mail me please--.

 
 
 

Logging user names for password protected sites

Post by Marc Slemk » Thu, 02 Apr 1998 04:00:00



Quote:>I've been asked to log user names that are hitting password-protected areas of
>our site. The protection is by htaccess, with multiple users. Servers are Apache.
>Looking at the logs, when an attempt is made, a line:
>195.129.28.130 - - [01/Apr/1998:13:35:18 +0100] "GET /service/roaming/tknumbers/index.html HTTP/1.0" 401 350
>is logged BEFORE the htaccess verification. Then, when the user gives a username
>and password, a second line is logged:
>195.129.28.130 - keith [01/Apr/1998:13:35:25 +0100] "GET /service/roaming/tknumbers/index.html HTTP/1.0" 401 350
>That looks simple - just look for lines with the right GET path and a
>non-blank username.
>BUT, if the user gives an incorrect password, exactly the same things happen. So
>we can't distinguish between accepted and rejected attempts!

If there is a username with a status code 401, then the auth did
not succeed.

If the status code is not 401, then it did.

 
 
 

1. Logging hits to password protected sites

This is a repost - the first copy seems to have vanished to the great news
server in the sky!

We run Apache web servers, and have some sections of the site protected with
htaccess. I need to log usernames hitting these sites.

By experiment, when an attempt is made to enter the protected area, a line
is logged like:

195.129.28.130 - - [27/Jan/1998:11:35:52 +0000] "GET /service/roaming/tknumbers
HTTP/1.0" 401 350

Then, when the user has been authenticated, a second hit is logged:

195.129.28.130 - keith [27/Jan/1998:11:35:59 +0000] "GET
/service/roaming/tknumbers HTTP/1.0" 401 350

So, the obvious answer is to only look for log entries where the relevant path
appears along with a non-blank username.

Unfortunately, if the user provides a bad username and password, and
authentication fails, the log shows exactly the same results! So, there seems to
be no way to distinguish between successful and unsuccessful attempts.

Does anyone have any ideas/suggestions? If so, mail me please!

2. LILO: /boot on DOS partition. Big Problem

3. Password-protecting a directory with no user name required.

4. SCO Skunkware 5 Updates

5. How to password protect sub directories for access by their creator and by the site administrator?

6. Help.. partitioning with Disk Druid (Red Hat 8)

7. difficulty in reaching password-protected sites through Apache 1.3.6 server

8. Credential error mounting HPUX via NFS

9. Apache - CGI to protect web site for non-concurrent passwords

10. password protecting sites

11. Downloading contents of password protected web site?

12. Q-> logging user names as they log in

13. telnetd[#####]: can't find user in protected password database