I have a paid site that uses htacces. I'd like to install something that would identify people who have shared their passwords. I found http://www.pennywize.com and it looks like it would work. It uses mod_rewrite which I don't understand, but I've been advised by fq that it is a can of worms.

Any comments or suggestions?

Thanks,
Harry

a cursory examination of that site reveals that pennywise simply logs the IP address along with the member login data and looks at the frequency of accesses and the distribution of IP addresses. given that it's not a particularly cheap solution, you might consider paying someone to modify your current login script, or replace it with another, so that IP data is recorded and queried for suspicious patterns. i have written similar code to spot repeat offenders on a voting poll.

i was going to say that mod_rewrite is probably used for the parts of pennywise that involve detecting hacking attacks, but i realized it's likely used to intercept the .htaccess login. you could still add an automatic login script behind the .htacess login, based on cookies, which requires the user to login again the first time they access the directory, after which time it transparently logs the IP address and only reveals its presence when it detects a problematic access pattern, or the cookie disappears. that way i don't think you'd need mod_rewrite to implement this.

Harry, how have you implemented your current htacces solution? If it's a separate user id and password for each subscriber, then you could use a log analyzer or a spreadsheet program to spot check your raw logs. Just sort by user id, then IP address, then date, and the suspicious ones should jump out.

Pennywize looks interesting, but if you don't need "real-time" blocking, then it's a lot simpler just to spot check once or so a week. As Stephen points out, a custom solution would be a lot cheaper than Pennywize, simpler, and be tuned to your exact needs. There's a few log geeks here, so you might want to float this in the contract forum.

Hi Harry,

Unless your htaccess login is utilizing a databse, I think that I'd explore overhauling the whole thing. The big question, however, is whether your account includes MySQL.
-Matt