[Feature Request] Add a failed logins log

[elmerfdz]

Could you please add a failed logins log in settings? will be quite useful to see if anyone is being naughty.

[rix1337]

And even better, we could write a fail2ban filter for the login page!

http://www.fail2ban.org/wiki/index.php/Main_Page

+1

[causefx]

@rix1337 that would be awesome but Fail2Ban relies on Python. Not sure everyone knows how to set that up. we can have it as on option maybe.

[rix1337]

I phrased it wrong.

Assuming one has set up fail2ban already, if Organizr offered a log containing

timestamp - IP - bad auth

We could write a fail2ban rule, that would work properly.

Look at how those configs work at: https://snippets.aktagon.com/snippets/554-how-to-secure-an-nginx-server-with-fail2ban

[causefx]

Ahhhh yes. :)

[causefx]

@rix1337 @Githubtordl

I'm storing the info in a file on the server that is written in JSON.

Here is the preview:

[rix1337]

Making the log path configurable would be perfect.

Looking very good so far, I guess we can easily set up a regex rule for fail2ban then!

[causefx]

Yea that is what I was thinking on both suggestions.

[rix1337]

This should work with fail2ban. Will test over the weekend:
https://gist.github.com/rix1337/d87b4b59200bcfe4efd2273d3991cb32

[rix1337]

I've just checked the fail2ban manual:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters

In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.

Any way you could (also) produce a standard log file more similar to the nginx one? Optionally stored at a custom path?

20-01-2017 01:02:03 [1.2.3.4] "user" "bad_auth"

They do not offer a way to regex custom timestamps..

The pattern or regex to match the time stamp is currently not documented, and not available for users to read or set

With this log I could automatically ban anyone trying to brute force my login info! (Which would be super awesome)

[causefx]

i can make the time stamp match this: 20-01-2017 01:02:03

[rix1337]

EDiT for clarification:

Thank you for checking this!

fail2ban for some reason requires logs that separate entries into new lines & begin with a timestamp
fail2ban rules identify IPs to ban with a special <HOST> code, but don't allow the same for timestamps.

I'll try to get more info tonight, but it seems a logfile as suggested above would be the only thing working here...

[causefx]

hmmm
ok, i'll check this tonight

[rix1337]

I tried it right now, and fail2ban is not limited by the way the timestamp is offered, but it requires newlines.

Could you add a newline before every {"date" tag? as in:
https://gist.github.com/rix1337/d66f7d9a1c81d9345e37491e6084790c

The working bad_auth regex for fail2ban is
","username":"\S+","ip":"<HOST>","auth_type":"bad_auth"}

Running tests
=============

Use   failregex line : ","username":"\S+","ip":"<HOST>","auth_type":"bad_...
Use         log file : /config/organizr/loginLog.json
Use         encoding : UTF-8


Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   1) [2] ","username":"\S+","ip":"<HOST>","auth_type":"bad_auth"}
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-

Lines: 6 lines, 0 ignored, 2 matched, 4 missed
[processed in 0.00 sec]

|- Missed line(s):
|  {"logType":"login_log","auth":[
|  {"date":"2017-01-20 00:18:07","username":"rix","ip":"21.43.5.6","auth_type":"good_auth"},
|  {"date":"2017-01-20 06:25:58","username":"rix","ip":"21.43.5.6","auth_type":"good_auth"},
|  {"date":"2017-01-20 09:42:30","username":"rix","ip":"21.43.5.6","auth_type":"good_auth"},
`-`

That would be all I need, and the json is still readable by organizr.

In contrast, the current json oneliner is not parsed correctly

fail2ban-regex /config/organizr/loginLog.json '","username":"\S+","ip":"<HOST>","auth_type":"bad_auth"}'

Running tests
=============

Use   failregex line : ","username":"\S+","ip":"<HOST>","auth_type":"bad_...
Use         log file : /config/organizr/loginLog.json
Use         encoding : UTF-8


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ","username":"\S+","ip":"<HOST>","auth_type":"bad_auth"}
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

[causefx]

by new line, do you mean like a break in line?

[rix1337]

yeah! instead of

foo bar spam eggs

foo
bar
spam
eggs

sorry, english is not my primary language ^^

[causefx]

no worries, I can try that out tonight unless you want to edit yourself and try.

[rix1337]

I'll give it a shot. and thank you

[causefx]

lemme give you the line.

[rix1337]

user php, 602?

[causefx]

https://github.com/causefx/Organizr/blob/master/user.php#L610

change to $writeFailLog = json_encode($gotFailLog, JSON_PRETTY_PRINT);

https://github.com/causefx/Organizr/blob/master/user.php#L614

change to $writeFailLog = json_encode($failLogEntryFirst, JSON_PRETTY_PRINT);

[rix1337]

ill give it a shot, though i am only familiar to xml. seems easy to get the format, though.

[causefx]

no worries man :) let me know how it goes.

[rix1337]

I tried my best, and the PR works for the front-end, as well as the fail2ban log daemon.

I really would like this functionality implemented (even if a proper log file, not breaking the json would be the better way). With this hack I am now successfully banning people after their third bad login attempt to my site!

[causefx]

nice, did the JSON_PRETTY_PRINT not work either?

Edit: Also this line doesn't need to be edited: $getFailLog = str_replace("\r\ndate", "date", file_get_contents(FAIL_LOG));

as you already apply str_replace on the variable than encodes the json.

Edit: Nevermind, i misread that line.

[rix1337]

No, because awesome as it may be, fail2ban is resistant to multiple line input.. There seem to be ways, but I can't get them to match the json file..

I know duplicate file creations make this project less clean, but could you just implement a function that on a bad login appended

Timestamp - [ip] - [username] - bad auth

to a simple somthing.log? I would really feel bad about the hack I wrote, just to get this feature going. Even though it works

[causefx]

the hack isnt bad.

[rix1337]

thank you,

Also this line doesn't need to be edited: $getFailLog = str_replace("\r\ndate", "date", file_get_contents(FAIL_LOG));

as you already apply str_replace on the variable than encodes the json.

Edit: Nevermind, i misread that line.

At first i thought so, too. New log entrys will go missing without it, though..

[causefx]

what do you mean?

[rix1337]

nvm, was just confirming the line needs an edit 👍

[causefx]

ahhh yes, I need to see if my local hosted dev branch is updated, if it is i will pull this merge request into dev.

[rix1337]

cool stuff. i contributed 🥇 😄

[causefx]

haha yes sir, thanks!

[rix1337]

just a heads up: the reformated log file may cause issues with existing logs from this version..

since it's beta this should be fine..

[causefx]

Hmmmm. I'll take a look.