Support httpd authentication errors

Create issue
Issue #50 on hold
Daniel Aleksandersen created an issue

Apache’s debug, forensic, and access logs are very configurable and can be hard to parse as they may vary quite a bit. Their error logs are, on the other hand, set in one format and can contain a lot of authentication related messages.

Example log entries:

[Sun Nov 20 02:53:43.015161 2016] [access_compat:error] [pid 18506:tid 440664991925516] [client 78.5.2.32:57002] AH01797: client denied by server configuration: /var/www/best-kept-secret/login
[Sun Nov 20 02:53:43.015161 2016] [access_compat:error] [pid 18506:tid 440664991925516] [client 2001:db8::dead:e1f:57002] AH01797: client denied by server configuration: /var/www/best-kept-secret/login

Note that there is no delimiter between the IPv6 address and the port.

The pattern to look for would be something like:

\[client ipaddr:[0-9]+\] AH[0-9]{5}\:

Here are the httpd authentication failure errors for the various httpd modules: https://wiki.apache.org/httpd/ListOfErrors

mod_auth_basic:
AH01617
AH01618

mod_authz_core:
AH01631

mod_authz_owner:
AH01632
AH01633
AH01634
AH01635
AH01636
AH01637
AH01638
AH01639
AH01640
AH01641

mod_authz_user:
AH01663

mod_authz_groupfile:
AH01666
AH01667
AH01670
AH01671

mod_authnz_ldap:
AH01694
AH01695
AH01720
AH01728
AH01746
AH01748

mod_auth_digest:
AH01792
AH01794

mod_access_compat:
AH01797

mod_authz_dbm:
AH01800
AH01801
AH01804
AH01805

mod_auth_form:
AH01807
AH01808

Comments (2)

  1. Kevin Zheng
    • changed status to open

    This sounds rather painful. Lex/yacc aren't the funnest things to work with. I probably won't get around to this in a while, but if you'd like to give it a whack go ahead. Perhaps worth checking if fail2ban/denyhosts has rules for this, and yanking things over as appropriate.

    One of the ideas I threw out earlier was to trim out the regex stuff from fail2ban and plugging it where sshg-parser goes.

  2. Log in to comment