rejetto forum

Software => HFS ~ HTTP File Server => HTML & templates => Topic started by: Lebjo on March 08, 2009, 10:47:45 AM

Title: see bad pass/username
Post by: Lebjo on March 08, 2009, 10:47:45 AM
Hi
I need some info.....

Eg;
Somebody whant access to my 'locked' folder.. if he insert a bad pass/username.... can i see what he inserted? (pass/user) (log .....?? )
Title: Re: see bad pass/username
Post by: rejetto on March 09, 2009, 11:09:58 PM
HFS will show the info only if the username is correct (but wrong password).
if you need more, we must go with scripting. let me know.
Title: Re: see bad pass/username
Post by: Lebjo on March 09, 2009, 11:31:48 PM
Yes, i need more info in log, what password and name he typing..
egsample
I have created 1 user named "JUSTTEST"

Somebody what to login and typing: user - "TOM", pass - "123"

and.. in log i want see
"""01:33:05 123 TOM@127.0.0.1:2517 Login failed""" - Bad password/username
Title: Re: see bad pass/username
Post by: rejetto on March 09, 2009, 11:40:49 PM
it cannot be done with current version, sorry.

but next 2.3 beta build #229 will let you put this in the event script file (ALT+F6).

[unauthorized]
{.add to log|Bad login: %user% / %password%.}
Title: Re: see bad pass/username
Post by: Lebjo on March 09, 2009, 11:57:23 PM
When #229 will be done? (Release)
Title: Re: see bad pass/username
Post by: rejetto on March 09, 2009, 11:58:54 PM
very soon.
maybe tonight.
or in this week.
Title: Re: see bad pass/username
Post by: r][m on March 11, 2009, 05:54:24 AM

but next 2.3 beta build #229 will let you put this in the event script file (ALT+F6).

[unauthorized]
{.add to log|Bad login: %user% / %password%.}
Works in regular log, but not apache format.  :(
Title: Re: see bad pass/username
Post by: rejetto on March 11, 2009, 12:37:10 PM
apache logs contains only requests.
the "add to log" is a free form of logging, and i guess it should not be included in apache format.
because i guess people using the apache format uses log analyzers. i don't know how they would behave in such situation.
i see 2 paths
- we discuss and see why such "free form" should fit the apache format.
- you don't use "add to log" but "append", and write directly to the apache format what you want.
Title: Re: see bad pass/username
Post by: r][m on March 12, 2009, 06:02:22 AM
apache logs contains only requests.
the "add to log" is a free form of logging, and i guess it should not be included in apache format.
because i guess people using the apache format uses log analyzers. i don't know how they would behave in such situation.
i see 2 paths
- we discuss and see why such "free form" should fit the apache format.
- you don't use "add to log" but "append", and write directly to the apache format what you want.

You added %z to apache log format. I used it
Quote
%h %l %u %t "%r" %>s %b "%{Referer}i %z" "%{User-Agent}i"
inside referer section. It produces result as screenshot attached. It could have been added to Request
section. Can't say what the result would be, of adding something else. But bad password would be nice
to have. Screen shot is of Analog 6.0 and at least lists the ~upload thats made.
When I can find some time I'll try append to see if it might be used some way, but I doubt it. Analog has a pretty narrow focus.
There is a better way, but we've been through that before :(
Title: Re: see bad pass/username
Post by: rejetto on March 12, 2009, 06:40:31 PM
i was partially wrong.
yes, "apache logs contains only requests", but a bad password is actually a request (rejected).
so, my question now is: this "bad" request should already be logged in apache-format when the "only served requests" is disabled.
if you confirm this, i guess the only thing you miss is the "password" information.
am i right?

Title: Re: see bad pass/username
Post by: r][m on March 13, 2009, 07:36:54 AM
iso, my question now is: this "bad" request should already be logged in apache-format when the "only served requests" is disabled.
if you confirm this, i guess the only thing you miss is the "password" information.
am i right?
Only served requests is disabled.
Bad login is only refered to as 401, or as "failure" in various report sections in Analog.
No reason given. Event scripts don't show with apache format.
I fear apache format is becomming inadequate as HFS evolves.
I'm working on the event scripts and "add to log" (regular log).
I think this may be a better direction, and is showing promise, but I may need help eventually.
It will be some hours before I'll know whats possible.
Is there any hope that you might make a small (but badly needed) change to the regular log?
Title: Re: see bad pass/username
Post by: rejetto on March 13, 2009, 03:56:41 PM
Bad login is only refered to as 401, or as "failure" in various report sections in Analog.
No reason given.

a 401 with a username is a "bad password".
what are you missing?

Quote
Is there any hope that you might make a small (but badly needed) change to the regular log?

how can i answer without knowing what you are talking about :)
Title: Re: see bad pass/username
Post by: r][m on March 14, 2009, 04:21:41 PM
r][m said
Quote
Event scripts don't show with apache format
Actually I was partially wrong, if you login by clicking on a protected
folder event scripts show in the HFS log window. If you use /~login
they do not.
Rejetto said
Quote
how can i answer without knowing what you are talking about
It might not be needed if I can use special events to make a special log work like...
Code: [Select]
[unauthorized]
{.unauthorized|{.append|/Server/Admin/log_file/New-Log.txt|Bad login:%date%-%time%-%user%-%password%.}
and it does work, but it appends the text in notepad like...
One line of textOne line of textOne line of text
Instead of...
One line of text
One line of text
Google finds lots of info on this, but I haven't been able to make anything work. Without proper
display, its useless.
Any idea on how to fix this?
Title: Re: see bad pass/username
Post by: Mars on March 14, 2009, 08:34:58 PM
The solution which is possible is to use \t and \n, they will be converted in tabulation and return to the line

Quote
  procedure save();
  begin result:=if_(saveFile(uri2diskMaybeFolder(p), xtpl(pars[1], ['\\','\|','\t',#09,'\n',CRLF,'\|','\']), name='append'), ' ') end;   // mars

\\t and \\n are converted to \t and \n ( no TAB and no CRLF )

the other way is using two macro {.crlf.} {.tab.} to obtain the same result.

Quote
    if name = 'crlf' then
      result:=CRLF;

    if name = 'tab' then
      result:=#09;

To convert any text in the same way, it is advisable to use the macro {.replace|... .} under this shape:
{.replace|\\|<//>|\t|{.tab.}|\n|{.crlf.}|<//>|\| your text\t is converted\n correctly.}


An example using both methods with hfs.events
Quote
[request]
{.append|hfs.test.log|user1: {.tab.} %user%1 {.crlf.}.}
{.append|hfs.test.log|user2: \t %user%2 \n.}
{.append|hfs.test.log|user3: \\t %user%3 \\n.}
{.append|hfs.test.log|\n next request \n.}
{.append|hfs.test.log|{.replace|\\|<//>|\t|{.tab.}|\n|{.crlf.}|<//>|\| your text\t is converted\n correctly.}
.}
hfs.test.log contain:
user1:     admin1
user2:     admin2
user3: \t admin3 \n
next request
your text    is converted
 correctly


For that to ask furthermore? ;)


 
Title: Re: see bad pass/username
Post by: r][m on March 15, 2009, 06:30:23 AM
Mars
Many thanks for posting the codes. Since I'm not a programer,
my solution may not be technically correct, but it works  :)
This in event scripts produces a special log
Code: [Select]
[unauthorized]
\n{.unauthorized|{.append|/A Location You Choose/Spl-Log.txt|
Bad_Login: %date% %time% %ip% {.if|%user%|%user%|0.} %password%.}\n

[upload completed]
\n{.Upload completed|{.append|/A Location You Choose/Spl-Log.txt|
Upload_Completed: %date% %time% %ip% %user% %item-name%.}\n

[download completed]
\n{.download completed|{.append|/A Location You Choose/Spl-Log.txt|
Download_Completed: %date% %time% %ip% %user% %item-name%.}\n
This makes the more important server data easy to analyze.
Title: Re: see bad pass/username
Post by: rejetto on March 16, 2009, 01:13:10 PM
my solution may not be technically correct, but it works  :)

the solution is just that, to enter the NEWLINE yourself :)

but you have some inutility in your code, you should use this form

[unauthorized]
{.append|/A Location You Choose/Spl-Log.txt|Bad_Login: %date% %time% %ip% {.if|%user%|%user%|0.} %password%
.}


having the NEWLINE at the end will avoid to create a blank line if the file is initially empty.
Title: Re: see bad pass/username
Post by: r][m on March 16, 2009, 04:42:53 PM
Rejetto
Thanks for the reply.
I've run into a problem with using the special log via event scripts.
The [download completed] records every thing, .gif, ~img, etc.
File mask, or don't log doesn't effect it.
I'm back to the request
Quote
Is there any hope that you might make a small (but badly needed) change to the regular log?
Regular log would work if:
3/16/09 3:14:25 AM user@192.168.1.35:1657 Requested GET /Server/
Could be out put as this with a space on each side of @
3/16/09 3:14:25 AM user @ 192.168.1.35:1657 Requested GET /Server/
But there would have to be a place holder when no user like apache
3/16/09 3:14:29 AM - 192.168.1.35:1658 Requested GET /Main/
Could this be done?

Title: Re: see bad pass/username
Post by: rejetto on March 17, 2009, 01:15:32 PM
i do not really like it, because actually the space can be used in the /path/to/file
won't this cause a problem?
my idea is that i could fire on the file TABS instead of spaces. this would solve the problem of having spaces inside data.
even with no user, the tab would be present, so there's no need for the "-" as place holder.
next version will use this format (only on disk, on video it will stay the same).
i don't like the idea of changing the format. someone may be relying on the current format to analyze the data :-\
but i understand the importance of using a generic tool to parse the data.
we'll see if anyone complaints.
in case, it will be an option.

the [download completed] problem is discussed on the other topic.
Title: Re: see bad pass/username
Post by: r][m on March 17, 2009, 05:44:30 PM
Quote
do not really like it, because actually the space can be used in the /path/to/file
won't this cause a problem?
Do you mean
3/17/09 11:58:26 AM user@192.168.1.35:1104 Requested GET /Server/Shared_Files/Last Value In Range.doc
the spaces as marked in blue ? No. The significant log info is, Date, Time, User, and IP.
Anything to the right of IP can be re-combined, but anything with no space (I at least)
can't seperate.
Quote
someone may be relying on the current format to analyze the data
If they are I wish they'd share the method. I see no way, with out seperating user and IP,
which is what apache does, 192.168.1.35 - user [17/Mar/2009:03:13:50 -0600]
I'm aware of TABS, but haven't used it.
We'll give it a try. Should work.
My purpose is to get away from apache log format, as I feel it was never intended to log the
info HFS can log. HFS is out growing apache log's design intent. There will soon come a point
where the log analyzer prog's just wont be able to read whats available.
It should be possible to use a database to show #1 download, #1 user, # visits by IP, etc.
even charts are a possibility.
Title: Re: see bad pass/username
Post by: rejetto on March 17, 2009, 06:53:56 PM
the new format is out
Title: Re: see bad pass/username
Post by: Lebjo on May 08, 2010, 11:56:04 AM
with 2.3 beta build #229 version - worked fine...
but now i wanna use this funckion with 2.3b 260... - and not working - why??
Title: Re: see bad pass/username
Post by: rejetto on May 08, 2010, 02:54:32 PM
please be more specific.
report what did you do that's not working.
Title: Re: see bad pass/username
Post by: Lebjo on May 08, 2010, 04:19:20 PM
when typing wrong password and name(to login window..) - in 'log' im not getting information about this...
Title: Re: see bad pass/username
Post by: maverick on May 09, 2010, 06:50:05 AM
when typing wrong password and name(to login window..) - in 'log' im not getting information about this...

You already got an answer to this:

http://www.rejetto.com/forum/index.php/topic,6719.msg1041472.html#msg1041472
Title: Re: see bad pass/username
Post by: Lebjo on May 09, 2010, 06:05:28 PM
You already got an answer to this:

http://www.rejetto.com/forum/index.php/topic,6719.msg1041472.html#msg1041472


ahhhh not working... maybe need some 'modification' or change some options?

Why i dont getting information like this

(http://www.ipix.lt/images/59075693.png)
Title: Re: see bad pass/username
Post by: maverick on May 09, 2010, 08:41:47 PM
Lebjo

Works fine here.

Quote
02:30:33 PM Lebjo@127.0.0.1:1136 Bad login:  Name Used - Lebjo / Password Used - Libby
Title: Re: see bad pass/username
Post by: Lebjo on May 10, 2010, 02:38:07 PM
dam...
i instaled new fresh hfs version to my virtual windows - stil not working...
again:
maybe need change some settings?


(http://www.ipix.lt/images/13593460.png)

2.3beta 260
Title: Re: see bad pass/username
Post by: r][m on May 10, 2010, 03:03:15 PM
dam...
i instaled new fresh version to my virtual windows - stil not working...
again:
maybe need change some settings?
Do you have something like this in hfs.events file?
Code: [Select]
[+unauthorized]
{.add to log | Bad Login: %user% %password%|red
.}
The "log what" setings don't seem to change anything here.
Title: Re: see bad pass/username
Post by: rejetto on May 10, 2010, 04:27:10 PM
this code
Code: [Select]
[+unauthorized]
{.append|/A Location You Choose/Spl-Log.txt|Bad_Login: %date% %time% %ip% {.if|%user%|%user%|0.} %password%
.}

must be put in the template, not events file.
so the best way is to right click on the root/home > properties > diff template
Title: Re: see bad pass/username
Post by: Lebjo on May 10, 2010, 06:30:00 PM
rejetto


With your code in Spl-Log.txt file i having 1 empty (with no pass ir no name) line.. why?



one more question
is possible to do this function
if user type bad password/username..  - he anyway  can go to that 'folder'
i need just 1 'pop up' login window.
Title: Re: see bad pass/username
Post by: r][m on May 10, 2010, 07:38:07 PM
this code
Code: [Select]
[+unauthorized]
{.append|/A Location You Choose/Spl-Log.txt|Bad_Login: %date% %time% %ip% {.if|%user%|%user%|0.} %password%
.}

must be put in the template, not events file.
so the best way is to right click on the root/home > properties > diff template
I have this in hfs.events as well as the first I posted, and it works in 260 here? So this should be in tpl?
Title: Re: see bad pass/username
Post by: Mars on May 10, 2010, 07:42:39 PM
I have this in hfs.events as well as the first I posted, and it works in 260 here? So this should be in tpl?

refer you to http://www.rejetto.com/wiki/index.php?title=HFS:_Template

Both have to work ;)

Code: [Select]
    runEventScript('unauthorized');
    getPage('unauthorized', data);

Quote
Network events

unauthorized
this user has no permission to access the requested resource.

Sections List
[unauthorized]
HTML for the %content% symbol


in tpl, section [unauthorized]  is evaluated so often as the variable %content% appear in the section [error-page]

Code: [Select]
if data.conn.reply.mode <> HRM_REPLY then
    s:=xtpl(tpl2use['error-page'], ['%content%', s]);
Title: Re: see bad pass/username
Post by: r][m on May 11, 2010, 01:25:57 PM
Thanks Mars,
I moved these to tpl and I think it works better !