trapping 401 errors

[SM777]

I'm trying to trap 401 errors by redirect users to a page which will log their IP address if they enter a wrong password or username.

I got the loggin bit right using a perl script with SSI in an shtml doc but I'm having problems with the redirect.

In the .htaccess in the public_html dir I have:

AuthType Basic
AuthName MySite
<Limit GET POST>
deny from xxxxx
</Limit>
ErrorDocument 404 /~acmedude/404.html
ErrorDocument 401 /~acmedude/401.shtml

The 404 redirect works fine but when I try to access a secure area on the site eg

http://www.acmedude.com/membersonly/test.html

and then put in a duff password I get the 401.shtml page but the images are not found - its like the page is in the wrong sub folder. Also the password box keeps popping up even though I cancel it.

What am I doing wrong?

 

[SM777]

Further to my last. Does anyone know how I can get the exact clients IP address rather than their proxy server address?

I'm logging

$ENV{'REMOTE_HOST'} - This shows proxy server [cache-loh-ad04.proxy.aol.com]

$ENV{'REMOTE_ADDR'} - Assuming this is the IP of the proxy server and not the clients PC

$ENV{'HTTP_REFERER'}
$ENV{'QUERY_STRING'}
$ENV{'HTTP_USER_AGENT'} - This is blank
$ENV{'HTTP_CLIENT_IP'} - This is blank
$ENV{'HTTP_VIA'} - This is blank

How do I get the exact IP address of the client and not the IP of the proxy?

Why are the last 3 blank and would they show anything useful anyway?

How do I log what username or password they were trying to use?

So many questions. Grateful if you could help. I'm getting a few password cracking attempts and the ISP (not AOL) WONT assist me because I'm not giving them the client IP address.

Cheers.

 

[ifincham]

Hi,



Well, last one first because its easier...



I'm fairly sure that you will not get any information beyond the proxy server itself. The way proxies work is that they keep internal records matching requesting clients to outbound requests and resultant responses, but everything that goes between the proxy and the internet appears solely to originate at the proxy. Its like network address translation in that sense.



Of the other environment variables - you would usually get something sensible in HTTP_USER_AGENT but I guess the proxy suppresses it or its something to do with aol. Following is more typicial :



HTTP_USER_AGENT: Mozilla/4.76 (Linux 2.4.12 i686; U) Opera 5.0 [en]



Regards

 

[SM777]

Well I've modified the script and I'm now getting something more meaningful.

REMOTE_HOST inktomi1-nor.server.XXX.com
REMOTE_ADDR YYY.YYY.YYY.YYY
HTTP_REFER

http://www.acmedude.com/members/data.html

QUERY_STRING

http://www.acmedude.com/~acmedude/401.shtml

HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; VNIE5
HTTP_CLIENT_IP ZZZ.ZZZ.ZZZ.ZZZ
HTTP_VIA HTTP/1.1 XXX_site[C0A80101] (Traffic-Server/3.5.7-10686 [uScMs f p eN:t cCMi p s ])

I'm assuming YYY.YYY.YYY.YYY is the IP of the proxy server. ZZZ.ZZZ.ZZZ.ZZZ is a different number so must be the Clients IP address.

THe HTTP_VIA looks confusing and could do with some explaning as to what it indicates. In some cases I think it also shows the Computer Name of the workstation as set in network neighbourhood properties, idenitfication.

As I say, I need to identify the true Client IP so I can give evidence to the ISP of a password cracking attempt. Can anyone confirm ZZZ.ZZZ.ZZZ.ZZZ is the client IP?

And I still got the problem where the 401.shtml page fires up half a dozen or so login boxes so the log file shows 6 hits per user.

Would I be better off embedding the 401.shtml into the perl script and then modifying .htaccess to run the perl script on errordocument 401 instead of the .shtml and then SSI to the script?

Cheers.