LF_HTACCESS no longer working in recent versions

[loop]

Just recently we noticed that failed logins from password protected directories are no longer blocked by LF_HTACCESS

and we are pretty sure it was working several version before.

The logs are present but no actions are made anymore by LF_HTACCESS

[Tue Feb 25 07:11:10.228185 2014] [auth_basic:error] [pid 5516] [client xxx.xxx.xxx.xxx:57130] AH01618: user sdfsdfsdf not found: /admin/


ps: we keep RESTRICT_SYSLOG disabled

any ideas ?

[betweenbrain]

Hello loop,

You may be correct that LF_HTACCESS is no longer working correctly. I have been attempting to get it working with the most recent version without any luck. I've tried to replicate what you have any csf/lfd doesn't act on it.

[ForumAdmin]

That isn't a log format that is currently tracked by regex.com. Which version of Apache is this for? v2.4?

[Black Tiger]

This might be due to changes in Apache.
Normally when I used a faulty user, I could only try 3 times before getting an error notice.
Now on a cpanel server, I see this in the error log:

[Tue Feb 25 16:40:10 2014] [error] [client 84.26.xxx.xxx] user dkdk not found: /test/closedir/

Just like the logfile which Loop posted.
So the problem lies in Apache rather then in CSF when you ask me.
Apache should stop the attempts after 3 tries with an authentication error and it doesn't.

[betweenbrain]

In my case, I'm using nginx, which has a similar format of

Code: Select all

2014/02/25 15:53:41 [error] 1507#0: *42395 user "foo" was not found in ".htpasswd", client: 123.456.61.212, server: http://DOMAIN, request: "GET / HTTP/1.1", host: "DOMAIN"

[Black Tiger]

Does it stop after 3 attempts on nginx? Or can you keep on going trying to put various usernames in there?
There should be an authentication error after 3 attempts if all was working as it should be, correct?

[ForumAdmin]

The regexes for Apache v2.4 will be addressed in the next csf release. nginx support is only sparse at present and you may have to craft your own if the current ones do not work for your installation.

[betweenbrain]

@Black Tiger - No, it does not stop after three attempts. I suspect that I will need to dig deeper into that aspect of things.

@ForumAdmin - Thanks. Looks like I need to add my own login failure tracking.

[Black Tiger]

@Between brain: I just learned that it was not apache but the browsers who did gave the unauthorized notice after 3 attempts.
Since some time the browsers changed this and just keep presenting the login screen.
Which ofcourse is a bad idea because this can be abused for bruteforcing.

@Admin: Hopefully also for Apache 2.2.x releases?
I presume it will be some kind of counting against attempts in the logfile?

[ForumAdmin]

If you're seeing this issue you need to post an example of a log line that is not being detected as loop has done.