Link to home
Start Free TrialLog in
Avatar of rajsolaris
rajsolaris

asked on

reporting failed login attempts of apache logs

Can I monitor failed login attempts on Hyperion portal through sitescope
I am new to sitescope.It is agentless monitoring tool. I am trying to set it up to monitor Hyperion portal failed login attempts made by the user. Hyperion portal is hosted on Apache. /opt/tools/hyperion/apache/
OR Is there any other work around to do this. Suggestions Please.

Thanks In Advance
Avatar of yuzh
yuzh

The failed login attempts stored in /var/apache/logs/error_log file.

to get all the failed login out of the file, you can do:

grep authentication /var/apache/logs/error_log  > /tmp/fail-login

the new file /tmp/fail-login has all the records. (well you need to have permissions to read /var/apache/logs/error_log file.

for more details about apache authentication:
http://httpd.apache.org/docs/1.3/howto/auth.html
http://www.modperl.com/book/chapters/ch6.html

PS: the Web access user is not a system user, it does not have shell login account to your box, unless you create the same login name and password as a system user.
Avatar of rajsolaris

ASKER

Hi,

what I want to do is monitoring portal login. Can you Please suggest me a shell script to perform this
and if there is a failed login attempt the user should receive the mail.

thanks buddy.
It depends on how you setup the log format in apache, eg, in my server one record would looks like:

[Sun Jan 13 14:48:02 2008] [error] [client xxx.xxx.xx.xx ] user shark: authentication failure for "/disciplines/soemfile": password mismatch

You need to extract a record from your file, the process is not hard to do, but I do thing there is a need to send email to the user, they are not the system user for the OS, they do n't have login to your box.

If you still want to do it, you can write a script to do the job,  use cronjob  to check the log once (or a couple of times) a day.

You script to get the current day fail login records store in a tmp file,
then get the list of users from the tmp file (eg the 9th filed)
shark:
then get rid of the ":", find user shark's email address from soemwhere on your system, you can store a lit of user and email add somewhere on your system to do the job. then send the email.

the script is not hard but take time to write, if you want someone write you a script, please post a question in:
https://www.experts-exchange.com/Programming/System/Unix_-_Posix/

remeber to post a sample record from your box, soem of the experts might have time to write one for you.

PS: the hacker can not use the web login to hacker to your system, eg
      shark is a login name for access one of my web dir, but it is not an
      real OS user!
Good luck!



Hi expert,

Let me correct it this way Insted of the user receiving the mail. the mail should be send to the support team. support@something.com
ASKER CERTIFIED SOLUTION
Avatar of yuzh
yuzh

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial