Page 1 of 1
Are attempts to log in via web interface logged?
Posted: 04 Apr 2011, 20:38
by RandomUsername
Hi all,
Does anyone know if attempts to log into the B2's web interface are logged anywhere? I assumed they'd be in auth.log but that doesn't seem to be the case.
A trawl through all my other log files would suggest that they're not but I'd like confirmation.
Thanks.
Darren.
Re: Are attempts to log in via web interface logged?
Posted: 06 Apr 2011, 14:46
by Cheeseboy
Hi Darren,
After some experiments, I concur.
No trace under /var/log anyway, either for a wrong password for an existing user, or a completely invalid combo.
I was starting to try to strace apache to find out what was going on, but then I realized I have no cause and I'm too tired, and I shouldn't get so involved again all the time...
Cheers,
Cheeseboy
Re: Are attempts to log in via web interface logged?
Posted: 06 Apr 2011, 14:50
by RandomUsername
Thanks for confirming. I wouldn't mind an indication if someone is repeatedly attempting to log on to my server.
Re: Are attempts to log in via web interface logged?
Posted: 06 Apr 2011, 15:50
by 6feet5
Hi,
One way (may not be the best way, I wouldn't know since I'm no expert) is to add one line in the file "/usr/share/web-admin/admin/models/auth_model.php". Locate the "Login" method and go to the else-statement (where it says "do nothing on failed attempt") and add the following line (just above the "do nothing.."-comment, or just above the return statement)
Code: Select all
syslog( LOG_WARNING, "Failed login attempt: Tried to login as '$username' from {$_SERVER['REMOTE_ADDR']} (using '{$_SERVER['HTTP_USER_AGENT']}')");
This will add a message to the "/var/log/messages" on each failed login attempt with some info that might be of interest.
As I mentioned, I'm no expert, so there may be security issues with this. And be sure to backup the file before you do anything
/Johan
Re: Are attempts to log in via web interface logged?
Posted: 06 Apr 2011, 17:16
by RandomUsername
Thanks Johan, I'll look into giving that a try.
Re: Are attempts to log in via web interface logged?
Posted: 07 Apr 2011, 14:39
by RandomUsername
Works a treat. Thanks!
Re: Are attempts to log in via web interface logged?
Posted: 07 Apr 2011, 14:49
by DanielM
6feet5 wrote:Code: Select all
syslog( LOG_WARNING, "Failed login attempt: Tried to login as '$username' from {$_SERVER['REMOTE_ADDR']} (using '{$_SERVER['HTTP_USER_AGENT']}')");
Can't really understand why nothing like this was there from the start. Could you send that code line to Excito and suggest that they put it in their official code?
/Daniel
Re: Are attempts to log in via web interface logged?
Posted: 07 Apr 2011, 15:26
by Ubi
i was thinking exactly that
Re: Are attempts to log in via web interface logged?
Posted: 08 Apr 2011, 04:06
by RandomUsername
Not taking credit for Johan's work but I've taken the liberty of sending this to Excito.
Cheers.
Darren.
Re: Are attempts to log in via web interface logged?
Posted: 08 Apr 2011, 05:27
by Magnus
Thanks for highlighting this.
Will add this as a feature request.
Re: Are attempts to log in via web interface logged?
Posted: 08 Apr 2011, 07:07
by kjellberg
Lovely!
If someone could just figure out a way to get rid of all the Cron printouts in the syslog aswell and the log would be really usefull!
Re: Are attempts to log in via web interface logged?
Posted: 08 Apr 2011, 12:21
by 6feet5
Thanks Darren,
And while we wait for the official version, replace previous code with
Code: Select all
openlog("web-admin", LOG_ODELAY, LOG_AUTHPRIV);
syslog( LOG_WARNING, "Failed login attempt: Tried to login as '$username' from {$_SERVER['REMOTE_ADDR']} (using '{$_SERVER['HTTP_USER_AGENT']}')");
closelog();
This will make the log entry end up in /var/log/auth.log (which I think is the right place, correct me if I'm wrong). Also, the application will be identified as web-admin instead of the apache php module.
/Johan
Re: Are attempts to log in via web interface logged?
Posted: 08 Apr 2011, 12:32
by RandomUsername
Thanks Johan, I'll give it a whirl.
[EDIT]As this is going to get written to auth.log any ideas if this would show up in logwatch? If not, does anyone know how to add it?
[EDIT 2]It looked quite complicated at first but this:
http://my.opera.com/Andrew%20Gregory/bl ... o-logwatch makes it sound quite simple. A simple script grepping auth.log for the appropriate output should be good enough.
[EDIT 3]With Johan's change it looks like these are now picked up by logwatch under the heading
Connections (secure-log) Begin
Sweet!
Re: Are attempts to log in via web interface logged?
Posted: 08 Apr 2011, 18:31
by Cheeseboy
Thanks!
Implemented.
Code: Select all
Apr 9 00:30:29 b3 web-admin: Failed login attempt: Tried to login as 'monkey' from 192.168.10.65 (using 'Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.16) Gecko/20110323 Ubuntu/10.04 (lucid) Firefox/3.6.16')
Re: Are attempts to log in via web interface logged?
Posted: 08 Apr 2011, 18:50
by Cheeseboy
As this is going to get written to auth.log any ideas if this would show up in logwatch?
I use logcheck. This is in the email I get from it, without any changes apart from the above:
Code: Select all
Apr 9 00:30:29 b3 web-admin: Failed login attempt: Tried to login as 'monkey' from 192.168.10.65 (using 'Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.16) Gecko/20110323 Ubuntu/10.04 (lucid) Firefox/3.6.16')