Log User ID / Password Authentication Failures (Response Code 401) to Error Log for Monitoring and IDS/IPS Uses


New member
When a user authentication failure occurs, DaDaBIK offers the option to insert a row in the table Ideally dadabik_failed-login. Unlike HTTP standard login failures for most web applications (see RFC 7235 and Apache logs) which are typically logged as response code 401 in the Error Log, DaDaBIK does not record the same failed login attempt. Other http errors / responses are logged, but user authentication is not.
There are numerous benefits having these authentication errors available in the error log. IDS/IPS tools like Fail2Ban can monitor for the standarfd Apache errors (including this failed authentication), and block the source IP address until cleared via standard Fail2Ban jail parameters. Although DaDaBIK can loc the user after "n" successive failed login attempts, a malicious brute force attack can vary both user and password, so IP blocking is the only effective control to prevent the continued attach. Additional open source tools like syslog / rsyslog monitoring (e.g. Graylog, Suricata, Snort), or crowd-sourced tools like CrowSec, can be used to further enhance the monitoring and prevention.

Since DaDaBIK alread logs many http response errors and other codes to the error or auth logs, this seems like a very simple but incredibly useful enhancement. If for any reason the standard 401 error cannot be used, any consistent, predictable text string in the standard Apache / http logs will suffice.

Please consider this consistent and industry-standard login notice in a future release.
Upvote 0