Page 1 of 2
LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 13:24
by loop
Just recently we noticed that failed logins from password protected directories are no longer blocked by LF_HTACCESS
and we are pretty sure it was working several version before.
The logs are present but no actions are made anymore by LF_HTACCESS
[Tue Feb 25 07:11:10.228185 2014] [auth_basic:error] [pid 5516] [client xxx.xxx.xxx.xxx:57130] AH01618: user sdfsdfsdf not found: /admin/
ps: we keep RESTRICT_SYSLOG disabled
any ideas ?
Re: LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 14:44
by betweenbrain
Hello loop,
You may be correct that LF_HTACCESS is no longer working correctly. I have been attempting to get it working with the most recent version without any luck. I've tried to replicate what you have any csf/lfd doesn't act on it.
Re: LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 15:42
by ForumAdmin
That isn't a log format that is currently tracked by regex.com. Which version of Apache is this for? v2.4?
Re: LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 15:44
by Black Tiger
This might be due to changes in Apache.
Normally when I used a faulty user, I could only try 3 times before getting an error notice.
Now on a cpanel server, I see this in the error log:
[Tue Feb 25 16:40:10 2014] [error] [client 84.26.xxx.xxx] user dkdk not found: /test/closedir/
Just like the logfile which Loop posted.
So the problem lies in Apache rather then in CSF when you ask me.
Apache should stop the attempts after 3 tries with an authentication error and it doesn't.
Re: LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 15:55
by betweenbrain
In my case, I'm using nginx, which has a similar format of
Code: Select all
2014/02/25 15:53:41 [error] 1507#0: *42395 user "foo" was not found in ".htpasswd", client: 123.456.61.212, server: http://DOMAIN, request: "GET / HTTP/1.1", host: "DOMAIN"
Re: LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 16:38
by Black Tiger
Does it stop after 3 attempts on nginx? Or can you keep on going trying to put various usernames in there?
There should be an authentication error after 3 attempts if all was working as it should be, correct?
Re: LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 17:02
by ForumAdmin
The regexes for Apache v2.4 will be addressed in the next csf release. nginx support is only sparse at present and you may have to craft your own if the current ones do not work for your installation.
Re: LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 17:20
by betweenbrain
@Black Tiger - No, it does not stop after three attempts. I suspect that I will need to dig deeper into that aspect of things.
@ForumAdmin - Thanks. Looks like I need to add my own login failure tracking.
Re: LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 18:18
by Black Tiger
@Between brain: I just learned that it was not apache but the browsers who did gave the unauthorized notice after 3 attempts.
Since some time the browsers changed this and just keep presenting the login screen.
Which ofcourse is a bad idea because this can be abused for bruteforcing.
@Admin: Hopefully also for Apache 2.2.x releases?
I presume it will be some kind of counting against attempts in the logfile?
Re: LF_HTACCESS no longer working in recent versions
Posted: 25 Feb 2014, 18:29
by ForumAdmin
If you're seeing this issue you need to post an example of a log line that is not being detected as loop has done.