- changed status to open
Support httpd authentication errors
Issue #50
on hold
Apache’s debug, forensic, and access logs are very configurable and can be hard to parse as they may vary quite a bit. Their error logs are, on the other hand, set in one format and can contain a lot of authentication related messages.
Example log entries:
#!
[Sun Nov 20 02:53:43.015161 2016] [access_compat:error] [pid 18506:tid 440664991925516] [client 78.5.2.32:57002] AH01797: client denied by server configuration: /var/www/best-kept-secret/login
[Sun Nov 20 02:53:43.015161 2016] [access_compat:error] [pid 18506:tid 440664991925516] [client 2001:db8::dead:e1f:57002] AH01797: client denied by server configuration: /var/www/best-kept-secret/login
Note that there is no delimiter between the IPv6 address and the port.
The pattern to look for would be something like:
#!
\[client ipaddr:[0-9]+\] AH[0-9]{5}\:
Here are the httpd authentication failure errors for the various httpd modules: https://wiki.apache.org/httpd/ListOfErrors
#!
mod_auth_basic:
AH01617
AH01618
mod_authz_core:
AH01631
mod_authz_owner:
AH01632
AH01633
AH01634
AH01635
AH01636
AH01637
AH01638
AH01639
AH01640
AH01641
mod_authz_user:
AH01663
mod_authz_groupfile:
AH01666
AH01667
AH01670
AH01671
mod_authnz_ldap:
AH01694
AH01695
AH01720
AH01728
AH01746
AH01748
mod_auth_digest:
AH01792
AH01794
mod_access_compat:
AH01797
mod_authz_dbm:
AH01800
AH01801
AH01804
AH01805
mod_auth_form:
AH01807
AH01808
Comments (2)
-
-
- changed status to on hold
Awaiting fail2ban-coupled
sshg-parser. - Log in to comment
This sounds rather painful. Lex/yacc aren't the funnest things to work with. I probably won't get around to this in a while, but if you'd like to give it a whack go ahead. Perhaps worth checking if fail2ban/denyhosts has rules for this, and yanking things over as appropriate.
One of the ideas I threw out earlier was to trim out the regex stuff from fail2ban and plugging it where
sshg-parsergoes.