Logging unauthorised login attempts

alanjrobertson

Hi folks

I'm trying to find a way of logging unauthorised attempts to access the secure part of a site that I run.

Story so far:
- .htaccess, etc. in place and working well for the /secure directory
- custom 401 (etc.) pages in place

I'd put a bit of code into the custom 401 page so that it would send me an e-mail whenever an attempt was made to login (with details of the login ID used by the person attempting to login along with the time/date and their IP).

I thought this was fine, but unfortunately I've found out that it actually e-mails me every time someone logs into the site! I'm guessing it must parse the 401 error page in preparation when it pops up the id/pwd HTTP-AUTH login box, hence generating an e-mail (which is blank with regards ID).

Does anyone know how I can modify things so that only failed login attempts generate an e-mail rather than all of them?

Thanks

Alan

jonathen

How about this - you do not need to use htaccess, just include this in the page you want protected. This is only off the top of my head, so you may need to make some changes, and I would advise you test it all out first. Not sure if it'll work with register_globals=off:

$selfSecure = 1;
$fromEmail  = $HTTP_SERVER_VARS["SERVER_ADMIN"];
$user="your_user";
$pass="your_pass";
if($selfSecure){
    if (($PHP_AUTH_USER!=$user)||($PHP_AUTH_PW!=$pass)) {
       Header('WWW-Authenticate: Basic realm="Members Area"');
       Header('HTTP/1.0 401 Unauthorized');
       echo "<html>
         <head>
         <title>Error - Access Denied</title>
         </head>
         <strong>Access denied<br>
         A warning message has been sent to the webmaster.  Your IP address has also been recorded
         <hr>";
       if(isset($PHP_AUTH_USER)){
          $warnMsg ="
 Somebody tried to access the members page on: [url]http://[/url]".$HTTP_SERVER_VARS["HTTP_HOST"]."$PHP_SELF
 using the wrong username or password:

 Date: ".date("Y-m-d H:i:s")."
 IP: ".$HTTP_SERVER_VARS["REMOTE_ADDR"]."
 User Agent: ".$HTTP_SERVER_VARS["HTTP_USER_AGENT"]."
 username used: $PHP_AUTH_USER
 password used: $PHP_AUTH_PW

   ";
      mail($email,"Unauthorized Access",$warnMsg,
      "From: $fromEmail\nX-Mailer:$Version AutoWarn System");
   }
   exit;
}
}

if(!$oCols)$oCols=$termCols;
if(!$oRows)$oRows=$termRows;

HTH

Jonathen

alanjrobertson

Hi Jonathen

Many thanks for your quick and full reply!

Unfortunately I've got quite a long list of users and also a whole folder (including non-PHP files) that I want to secure, hence why I've gone down the .htaccess route.

Thinking about it further, what I may just do is check whether $PHP_AUTH_USER is empty or not before I e-mail. It seems that with authorised logins this field is blank at the time the script is called (as this appears to occur before the HTTP-AUTH login popup appears) & with unauthorised logins it'd be pretty unlikely they'd bother trying to login without and ID (so I'll just not bother with logging them).

Thanks again for your suggestion though.

Kind regards,

Alan

alanjrobertson

Seemed to do the trick!

Here's the code I used:

<?php
$login = $PHP_AUTH_USER;
if ($login <> "") { //only e-mail if user ID was entered in HTTP-AUTH login box

if (!isset($REMOTE_ADDR)) { 
    $p_remoteaddr = "no client address"; 
} else { 
    $p_remoteaddr = $REMOTE_ADDR; 
};

$date = date("r");
$login = $PHP_AUTH_USER;

$to = "webmaster <webmaster@website.tld>" . ", " ;

/* subject */
$subject = "website secure area - unauthorised access detected";

/* message */
$message = "
---------------------------------------------------
WEBSITE SECURE AREA - UNAUTHORISED LOGIN DETECTED
---------------------------------------------------

An unauthorised attempt was made to access the secure area - details below.

Date/time: $date

IP: $p_remoteaddr

Login ID used: $login
";

/* set content type */
$headers  = "Content-Type: text/plain; charset=iso-8859-1\r\n";
$headers  .= "Content-Transfer-Encoding: 7bit\r\n";

/* additional headers */
$headers .= "From: webserver <server@website.tld>\r\n";

/* and now mail it */
mail($to, $subject, $message, $headers);
} // end if loop from line 2 of code
?>