Author Topic: see bad pass/username  (Read 9662 times)

0 Members and 1 Guest are viewing this topic.

Offline Lebjo

  • Regular poster
  • **
  • Posts: 15
    • View Profile
see bad pass/username
« on: March 08, 2009, 04:47:45 AM »
Hi
I need some info.....

Eg;
Somebody whant access to my 'locked' folder.. if he insert a bad pass/username.... can i see what he inserted? (pass/user) (log .....?? )

Offline rejetto

  • Administrator
  • Insane programmer
  • *
  • Posts: 12832
  • Country: it
    • View Profile
Re: see bad pass/username
« Reply #1 on: March 09, 2009, 05:09:58 PM »
HFS will show the info only if the username is correct (but wrong password).
if you need more, we must go with scripting. let me know.

Offline Lebjo

  • Regular poster
  • **
  • Posts: 15
    • View Profile
Re: see bad pass/username
« Reply #2 on: March 09, 2009, 05:31:48 PM »
Yes, i need more info in log, what password and name he typing..
egsample
I have created 1 user named "JUSTTEST"

Somebody what to login and typing: user - "TOM", pass - "123"

and.. in log i want see
"""01:33:05 123 TOM@127.0.0.1:2517 Login failed""" - Bad password/username
« Last Edit: March 09, 2009, 05:34:14 PM by Lebjo »

Offline rejetto

  • Administrator
  • Insane programmer
  • *
  • Posts: 12832
  • Country: it
    • View Profile
Re: see bad pass/username
« Reply #3 on: March 09, 2009, 05:40:49 PM »
it cannot be done with current version, sorry.

but next 2.3 beta build #229 will let you put this in the event script file (ALT+F6).

[unauthorized]
{.add to log|Bad login: %user% / %password%.}

Offline Lebjo

  • Regular poster
  • **
  • Posts: 15
    • View Profile
Re: see bad pass/username
« Reply #4 on: March 09, 2009, 05:57:23 PM »
When #229 will be done? (Release)

Offline rejetto

  • Administrator
  • Insane programmer
  • *
  • Posts: 12832
  • Country: it
    • View Profile
Re: see bad pass/username
« Reply #5 on: March 09, 2009, 05:58:54 PM »
very soon.
maybe tonight.
or in this week.

Offline r][m

  • Insane poster
  • *****
  • Posts: 347
    • View Profile
Re: see bad pass/username
« Reply #6 on: March 10, 2009, 11:54:24 PM »

but next 2.3 beta build #229 will let you put this in the event script file (ALT+F6).

[unauthorized]
{.add to log|Bad login: %user% / %password%.}
Works in regular log, but not apache format.  :(
« Last Edit: March 10, 2009, 11:58:55 PM by r][m »

Offline rejetto

  • Administrator
  • Insane programmer
  • *
  • Posts: 12832
  • Country: it
    • View Profile
Re: see bad pass/username
« Reply #7 on: March 11, 2009, 06:37:10 AM »
apache logs contains only requests.
the "add to log" is a free form of logging, and i guess it should not be included in apache format.
because i guess people using the apache format uses log analyzers. i don't know how they would behave in such situation.
i see 2 paths
- we discuss and see why such "free form" should fit the apache format.
- you don't use "add to log" but "append", and write directly to the apache format what you want.

Offline r][m

  • Insane poster
  • *****
  • Posts: 347
    • View Profile
Re: see bad pass/username
« Reply #8 on: March 12, 2009, 12:02:22 AM »
apache logs contains only requests.
the "add to log" is a free form of logging, and i guess it should not be included in apache format.
because i guess people using the apache format uses log analyzers. i don't know how they would behave in such situation.
i see 2 paths
- we discuss and see why such "free form" should fit the apache format.
- you don't use "add to log" but "append", and write directly to the apache format what you want.

You added %z to apache log format. I used it
Quote
%h %l %u %t "%r" %>s %b "%{Referer}i %z" "%{User-Agent}i"
inside referer section. It produces result as screenshot attached. It could have been added to Request
section. Can't say what the result would be, of adding something else. But bad password would be nice
to have. Screen shot is of Analog 6.0 and at least lists the ~upload thats made.
When I can find some time I'll try append to see if it might be used some way, but I doubt it. Analog has a pretty narrow focus.
There is a better way, but we've been through that before :(

Offline rejetto

  • Administrator
  • Insane programmer
  • *
  • Posts: 12832
  • Country: it
    • View Profile
Re: see bad pass/username
« Reply #9 on: March 12, 2009, 12:40:31 PM »
i was partially wrong.
yes, "apache logs contains only requests", but a bad password is actually a request (rejected).
so, my question now is: this "bad" request should already be logged in apache-format when the "only served requests" is disabled.
if you confirm this, i guess the only thing you miss is the "password" information.
am i right?


Offline r][m

  • Insane poster
  • *****
  • Posts: 347
    • View Profile
Re: see bad pass/username
« Reply #10 on: March 13, 2009, 01:36:54 AM »
iso, my question now is: this "bad" request should already be logged in apache-format when the "only served requests" is disabled.
if you confirm this, i guess the only thing you miss is the "password" information.
am i right?
Only served requests is disabled.
Bad login is only refered to as 401, or as "failure" in various report sections in Analog.
No reason given. Event scripts don't show with apache format.
I fear apache format is becomming inadequate as HFS evolves.
I'm working on the event scripts and "add to log" (regular log).
I think this may be a better direction, and is showing promise, but I may need help eventually.
It will be some hours before I'll know whats possible.
Is there any hope that you might make a small (but badly needed) change to the regular log?

Offline rejetto

  • Administrator
  • Insane programmer
  • *
  • Posts: 12832
  • Country: it
    • View Profile
Re: see bad pass/username
« Reply #11 on: March 13, 2009, 09:56:41 AM »
Bad login is only refered to as 401, or as "failure" in various report sections in Analog.
No reason given.

a 401 with a username is a "bad password".
what are you missing?

Quote
Is there any hope that you might make a small (but badly needed) change to the regular log?

how can i answer without knowing what you are talking about :)

Offline r][m

  • Insane poster
  • *****
  • Posts: 347
    • View Profile
Re: see bad pass/username
« Reply #12 on: March 14, 2009, 10:21:41 AM »
r][m said
Quote
Event scripts don't show with apache format
Actually I was partially wrong, if you login by clicking on a protected
folder event scripts show in the HFS log window. If you use /~login
they do not.
Rejetto said
Quote
how can i answer without knowing what you are talking about
It might not be needed if I can use special events to make a special log work like...
Code: [Select]
[unauthorized]
{.unauthorized|{.append|/Server/Admin/log_file/New-Log.txt|Bad login:%date%-%time%-%user%-%password%.}
and it does work, but it appends the text in notepad like...
One line of textOne line of textOne line of text
Instead of...
One line of text
One line of text
Google finds lots of info on this, but I haven't been able to make anything work. Without proper
display, its useless.
Any idea on how to fix this?

Offline Mars

  • Operator
  • Insane poster
  • *****
  • Posts: 1789
  • Country: 00
    • View Profile
Re: see bad pass/username
« Reply #13 on: March 14, 2009, 02:34:58 PM »
The solution which is possible is to use \t and \n, they will be converted in tabulation and return to the line

Quote
  procedure save();
  begin result:=if_(saveFile(uri2diskMaybeFolder(p), xtpl(pars[1], ['\\','\|','\t',#09,'\n',CRLF,'\|','\']), name='append'), ' ') end;   // mars

\\t and \\n are converted to \t and \n ( no TAB and no CRLF )

the other way is using two macro {.crlf.} {.tab.} to obtain the same result.

Quote
    if name = 'crlf' then
      result:=CRLF;

    if name = 'tab' then
      result:=#09;

To convert any text in the same way, it is advisable to use the macro {.replace|... .} under this shape:
{.replace|\\|<//>|\t|{.tab.}|\n|{.crlf.}|<//>|\| your text\t is converted\n correctly.}


An example using both methods with hfs.events
Quote
[request]
{.append|hfs.test.log|user1: {.tab.} %user%1 {.crlf.}.}
{.append|hfs.test.log|user2: \t %user%2 \n.}
{.append|hfs.test.log|user3: \\t %user%3 \\n.}
{.append|hfs.test.log|\n next request \n.}
{.append|hfs.test.log|{.replace|\\|<//>|\t|{.tab.}|\n|{.crlf.}|<//>|\| your text\t is converted\n correctly.}
.}
hfs.test.log contain:
user1:     admin1
user2:     admin2
user3: \t admin3 \n
next request
your text    is converted
 correctly


For that to ask furthermore? ;)


 
FRENCH MEMBER : Si vous comprenez la langue française,  n'hésitez pas à l'utiliser pour une meilleure aide de ma part

Offline r][m

  • Insane poster
  • *****
  • Posts: 347
    • View Profile
Re: see bad pass/username
« Reply #14 on: March 15, 2009, 12:30:23 AM »
Mars
Many thanks for posting the codes. Since I'm not a programer,
my solution may not be technically correct, but it works  :)
This in event scripts produces a special log
Code: [Select]
[unauthorized]
\n{.unauthorized|{.append|/A Location You Choose/Spl-Log.txt|
Bad_Login: %date% %time% %ip% {.if|%user%|%user%|0.} %password%.}\n

[upload completed]
\n{.Upload completed|{.append|/A Location You Choose/Spl-Log.txt|
Upload_Completed: %date% %time% %ip% %user% %item-name%.}\n

[download completed]
\n{.download completed|{.append|/A Location You Choose/Spl-Log.txt|
Download_Completed: %date% %time% %ip% %user% %item-name%.}\n
This makes the more important server data easy to analyze.