Does LFD check for failed HTTP Digest login attempts?

Question

I am sure that LFD (Login Failure Daemon) checks Apache's error log for failed HTTP authentication attempts ie. log entries like:

 [Mon Feb 25 10:12:45 2013] [error] [client 10.0.0.1] user FAKEUSER not found: /index.html
 [Mon Feb 25 10:11:56 2013] [error] [client 10.0.0.1] user REALUSER: authentication failure for "/index.html": Password Mismatch

All the attempts above are failed HTTP Basic logins. The following one is failed HTTP Digest auth from the same error_log

 [Mon Feb 25 10:10:37 2013] [error] [client 10.0.0.1] Digest: user 'FAKEUSER' in realm 'REALM' not found: index.html

Am I right in thinking that this would suggest that LFD does not check for failed HTTP Digest logins? And if so if there an easy way to add such "validation" pattern to the script?

Any suggestion would be much appreciated!

Answer 1

Ok, made a solution myself:

Go and edit file: /etc/csf/regex.custom.pm

Before the line starting with:

# The return values from this example are as follows:

Add the following regex:

# 1. Include failed HTTP Digest method - Invalid User
if (($config{LF_HTACCESS}) and ($lgfile eq $config{HTACCESS_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] Digest: user `(\S*)' in realm `\S+' not found:/)) {
        return ("Failed web page login from",$1,"htdigest",5,"80,443","1");
}

# 2. Include failed HTTP Digest method - Invalid Password
if (($config{LF_HTACCESS}) and ($lgfile eq $config{HTACCESS_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] Digest: user (\S*): password mismatch:/)) {
        return ("Failed web page login from",$1,"htdigest",5,"80,443","1");
}