0009538: Increase security by logging login failures to system log #4787

Open
Gloirin opened this Issue Jun 9, 2018 · 2 comments

Comments

Projects
None yet
1 participant
@Gloirin

Gloirin commented Jun 9, 2018

Reported by ingoratsdorf on 14 Jan 2014 23:40

Version: feature requests

Brute force attacks are becoming more frequent.
I noticed that some people tried to login to my tine20 installation using standard account names ie "Tine20", "admin", "administrator" etc.

I recently installed ant-brute-force plugin to my joomla installation and had already the first few IP's blocked.

Tine records login and success/failures in the access log but who reads that? And it cannot be used by programs like fail2ban etc.

So could there be a facility to log unsuccessful login attempts to apache or system log or some other system available log file?

Steps to reproduce: Try to login with wrong user name or wrong password.

No error in any system log, is dmesg, auth, syslog, ...

Additional information: If an attacker tries to login with a wrong identity, we would like to block him after a few attempts. Not?
One could use fail2ban to do this if failure information was available to the underlaying system.

I noticed that such information is written into the tine20 logfile:
WARN (4): Tinebase_Controller::login::106 Login with username test from x.x.x.x failed (-1)!

However this would only be available with at least warning level log switched on. I usually have it on error.
So could such events be piped trough to syslog, ie like in the PHP examples:

syslog(LOG_WARNING, "Unauthorized client: $access {$_SERVER['REMOTE_ADDR']} ({$_SERVER['HTTP_USER_AGENT']})");

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by pschuele on 15 Jan 2014 13:00

maybe we could add an option to the setup "log authentication failures to syslog".

btw: here is a pull request for fail2ban by Lars with the filter for the Tine 2.0 logfile -> fail2ban/fail2ban#583

Gloirin commented Jun 11, 2018

Comment posted by pschuele on 15 Jan 2014 13:00

maybe we could add an option to the setup "log authentication failures to syslog".

btw: here is a pull request for fail2ban by Lars with the filter for the Tine 2.0 logfile -> fail2ban/fail2ban#583

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by ingoratsdorf on 22 Mar 2018 06:03

I see that tine20 now logs to the tine logfile after x (user defined) attempts of unsuccessful logins.
However, the login attempt is per user, so if someone tries all different usernames, then we could have a DDOS.
Secondly, I noticed that the log format was changed from what was published for fail2ban, meaning fail2ban does not work anymore.

Should the log file be set to "colorize", then fail2ban fails completely as it fails to work out the escape sequences. I tried whatever regex for fail2ban, if colorize is set, all fails. As soon as colorize is off, the regexps do work again.

config.inc.php:
'logger' =>
array (
'active' => true,
'priority' => 4,
'filename' => '/var/tine20/log/tine20.log',
//'colorize' => true,
//'tz' => 'Pacific/Auckland',
),

So if someone wants to get this going (again), I suggest to:
a) switch colorize off (if it is on)
b) use the following new regex: "^.[\da-f]+ -- none -- - [\d+:T-]+ WARN (\d+): Tinebase_Controller::_loginFailed::\d+ Login with username . from <HOST> failed"

Gloirin commented Jun 11, 2018

Comment posted by ingoratsdorf on 22 Mar 2018 06:03

I see that tine20 now logs to the tine logfile after x (user defined) attempts of unsuccessful logins.
However, the login attempt is per user, so if someone tries all different usernames, then we could have a DDOS.
Secondly, I noticed that the log format was changed from what was published for fail2ban, meaning fail2ban does not work anymore.

Should the log file be set to "colorize", then fail2ban fails completely as it fails to work out the escape sequences. I tried whatever regex for fail2ban, if colorize is set, all fails. As soon as colorize is off, the regexps do work again.

config.inc.php:
'logger' =>
array (
'active' => true,
'priority' => 4,
'filename' => '/var/tine20/log/tine20.log',
//'colorize' => true,
//'tz' => 'Pacific/Auckland',
),

So if someone wants to get this going (again), I suggest to:
a) switch colorize off (if it is on)
b) use the following new regex: "^.[\da-f]+ -- none -- - [\d+:T-]+ WARN (\d+): Tinebase_Controller::_loginFailed::\d+ Login with username . from <HOST> failed"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment