searching apache error and access log for users who had a password mismatch

bob hope · 12-08-2017, 08:27 AM

Hi, I have a few questions from my supervisor. One of them is to find how many times there was access to the server with a password mismatch. I don't have the foggiest in what type of command to use to get it. And also which users were not found when they tried to access the server, ie they entered a username and password but were not found on the system.

Any help would be great!

Thanks.

keefaz · 12-08-2017, 11:31 AM

Quote:

Originally Posted by bob hope

Hi, I have a few questions from my supervisor. One of them is to find how many times there was access to the server with a password mismatch. I don't have the foggiest in what type of command to use to get it. And also which users were not found when they tried to access the server, ie they entered a username and password but were not found on the system.

Any help would be great!

Thanks.

Usually system logs any failed login attempt, log files location can vary depending on your system (log configuration). Start by looking in /var/log

Turbocapitalist · 12-08-2017, 12:25 PM

Or are you talking about the web server's Basic Authentication rather than SSH?

If so, and you are using the Combined Log Format for Apache, then you could start to look for it by looking for status code 401 Unauthorized in the logs where there is also a user name given:

Code:

awk '$9=="401"&&($2!="-"||$3!="-")'

Which log format are you using for Apache at the moment?