we have a few servers that run csf + lfd. lfd is set up so that it e-mails me every time an account is being blocked - whether it's for port scan or failed login attempts. For some time now I was wondering if there is a way to see which password was attempted at the failed log in attempt.
So is there any kind of report - through lfd or other tool - that would not only report IP and user name, but the password as well.
I don't get it. Why would you need to know this? It may just be a brute force guess. It could also be someone putting in one ip wrong and you capture their password.
When I was writing this I had at least two reasons on my mind, now that you're asking I think I can come up with more:
1. See if same sequence is being attempted from different IPs (like, you know, password1, password2 from one IP and immediately after that password3, password4 from another).
2. See if any of my passwords got leaked. From attacker's perspective it's worth trying same password against multiple accounts that belong to me, so if I miss a successful log in at one spot it's worth tracing an unsuccessful attempt with the same password at another.
3. I have a few clients who use webmail and fail to produce correct passwords even after 5 attempts (it's much easier to type same wrong sequence five times rather than stop and think after first two failures). By seeing who typed what I can tell that person exactly what they are doing wrong. This is especially the case when people are using multiple keyboard layouts and forget to switch from one to another. I ALREADY KNOW all their passwords, since I had set them up, but this will just help me get better at customer service.
4. Seeing attempted password may help me decide what actually happens - someone is trying a wrong host or deliberately attempting to get through. Same password repeated over and over means someone is ringing up the wrong door. Different passwords mean lock picking.
5. If nothing else - plain curiosity. I want to know how stupid they think I am - because I just might be stupid enough, and I want to find out sooner rather than later.
See, it all boils down to intentions. I can see how I can protect myself and my clients better by knowing what's going on at the perimeter.