Project

General

Profile

[Solved] How to detect if there is a bad user/password in HTTP/HTTPS thanks to lighttpd

Added by pamandine 6 months ago

Hello,

I work with LIGHTTPD and FLASK, implemented in python.

I needed to detect when there is a bad authentication on the first page of login provided by LIGHTTPD (in attachment).

So I have looked for this information but I did not find anything indicating precisely a bad authentication.
I tried to use the logs but nothing there except when the password (only) is wrong. But if the user is wrong, well.. no message, nothing.
I did not understand if the "authorizer" mode could be used (I did not understand how it works, did not found any example I could understand, honestly)

I want to keep LIGHTTPD as a manager for authentication because it is probably better than whatever I could do (even with FLASK). More secured too, I'm sure.

However, I found many possibilities to detect a correct authentication.

So is there any easy way to detect a bad user and/or bad password ? Or should I stop trying to detect them ?

My configuration is :

Version of lighttpd -> lighttpd/1.4.59 (ssl) - a light and fast webserver

Operating System (OS) you are using > Linux gt001 5.10.30 #205 SMP PREEMPT Tue Jun 21 12:11:00 UTC 2022 armv7l GNU/Linux
> Linux debianPamVm 5.10.0-14-amd64 #1 SMP Debian 5.10.113-1 (2022-04-29) x86_64 GNU/Linux

Configuration you are using -> lighttpd.conf in attachment (I replaced some private information with XXXXX or YYYYY)

What client you used -> Chrome and Firefox

loginpage.PNG (33.1 KB) loginpage.PNG Login page provided by lighttpd
lighttpd.conf (5.25 KB) lighttpd.conf lighttpd.conf in HTTP+HTTPS

Replies (6)

RE: How to detect if there is a bad user/password in HTTP/HTTPS thanks to lighttpd - Added by gstrauss 6 months ago

FYI: You're running a slightly older version of lighttpd. Latest is lighttpd 1.4.65.

I needed to detect when there is a bad authentication on the first page of login provided by LIGHTTPD (in attachment).

Programmatically?

Internally, lighttpd sets r->keep_alive = -1 if username or password is bad, and this causes lighttpd to close the connection (no keep_alive). In lighttpd 1.4.65, the value of r->keep_alive can be obtained in a custom lua script in mod_magnet.

Beyond that, if you need detailed access to the authentication process, then you need to implement your own FastCGI authorizer.

So is there any easy way to detect a bad user and/or bad password ?

Check the lighttpd error log for auth failures.

There are programs such as fail2ban which may help you: http://www.fail2ban.org/wiki/index.php/Main_Page

RE: How to detect if there is a bad user/password in HTTP/HTTPS thanks to lighttpd - Added by gstrauss 6 months ago

I tried to use the logs but nothing there except when the password (only) is wrong. But if the user is wrong, well.. no message, nothing.

Please provide some reasoning why this information is important to you.

401 Unauthorized means ... unauthorized. If the HTTP request provided Authorization and received 401 Unauthorized status in response, then the user/pass was incorrect unless the HTTP response header WWW-Authenticate contains "stale=true". You can check this in a custom lua script using mod_magnet, even in earlier versions of lighttpd.

RE: How to detect if there is a bad user/password in HTTP/HTTPS thanks to lighttpd - Added by pamandine 6 months ago

FYI: You're running a slightly older version of lighttpd. Latest is lighttpd 1.4.65.

Ok, I will update it, thank you for the information.

"401 Unauthorized means ... unauthorized" 

I should have seen it, I missed it... There are so many data in the log, I didn't pay attention to the HTML responses theirself, once I've seen :

2022-06-23 07:04:33: mod_auth.c.1482) digest: auth failed for admin: wrong password, IP: 192.168.5.235

But indeed, there is :

2022-06-22 16:08:54: response.c.158) Response-Header:\nHTTP/1.1 401 Unauthorized\r\nWWW-Authenticate: Digest realm="XXXXX", charset="UTF-8", algorithm=MD5, nonce="62b33e96:46c06aef821f03e84ea29f456f7cb45a", qop="auth", stale=true\r\nContent-Type: text/html\r\nContent-Length: 347\r\nDate: Wed, 22 Jun 2022 16:08:54 GMT\r\nServer: lighttpd/1.4.59\r\n\r\n

Please provide some reasoning why this information is important to you.

Well, I have to improve an already built product, which has its own HTTP server with a specific functioning. I have to keep, if possible, most of the old functions, like in this case : detect a bad authentication and send traps/mails/etc. to users.

You gave me interesting things to test. This is the first time I see "mod_magnet" mentioned, so I'm going to try this, cast on eye over fail2ban main page and of course, update my LIGHTTPD to the latest version.
I thank you very much ! I was going around in circles on this.

RE: How to detect if there is a bad user/password in HTTP/HTTPS thanks to lighttpd - Added by gstrauss 6 months ago

Completely untested lua code to get you started. You'll need to be more careful what you log if GDPR or other regulations apply to your logging.

lighttpd.conf
magnet.attract-response-start-to = "/path/to/log-bad-auth.lua"

log-bad-auth.lua

local r = lighty.r
local req_item = r.req_item
if (req_item.http_status == 401 and req_item.keep_alive == -1) then 
  local authorization = r.req_header["Authorization"]
  local www_auth = r.resp_header["WWW-Authenticate"]
  if (authorization and www_auth and not string.match(www_auth, ", stale=true")) then
    print("bad auth: IP: " .. r.req_attr["request.remote-addr"] .. " Authorization: " .. authorization)
  end
end

RE: How to detect if there is a bad user/password in HTTP/HTTPS thanks to lighttpd - Added by pamandine 6 months ago

Thank you for this script ! It works fine a my Virtual Machine with latest lighttpd version.
Unfortunately, for the moment, I cannot update the lighttpd version of my product (I am on a LINUX based on builroot) and the last version I can have is 1.4.59. I could update the buildroot I use but even with that, the last lighttpd version available is 1.4.64.

So I will try your other proposal with lua :

401 Unauthorized means ... unauthorized. If the HTTP request provided Authorization and received 401 Unauthorized status in response, then the user/pass was incorrect unless the HTTP response header WWW-Authenticate contains "stale=true". You can check this in a custom lua script using mod_magnet, even in earlier versions of lighttpd.

I would have preferred the first option with lighttpd 1.4.65 but.. it seems that I don't have the choice for the moment. I can just wait for buildroot to have lighttpd 1.4.65 and update the script with req_item.keep_alive at this moment. Seems better this way.

But anyway, your answer is very helpfull for me ! You gave something to start with, to work with and I thank you a lot.

RE: [Solved] How to detect if there is a bad user/password in HTTP/HTTPS thanks to lighttpd - Added by gstrauss 5 months ago

Glad to hear it works for you. The lua code above has some redundancy to work with different versions of lighttpd (with minor adjustments). If you are running lighttpd 1.4.65+, then checking for req_item.keep_alive -1 makes the check for WWW-Authenticate not containing ", stale=true" redundant. If you are running an earlier version of lighttpd, then you have to remove req_item.keep_alive -1, but must keep the check for WWW-Authenticate not containing ", stale=true".

    (1-6/6)