Subsonic Forum

[Krosscheck]

Hello. When i look at the ABOUT section of my Subsonic site, i can see a short log and the message at the bottom says, "The complete log is saved in c:\subsonic\subsonic.log".

However, when i go to c:\subsonic\subsonic.log, all i see in the log is the same 20 lines. Is there a way to produce and see a larger set of logs? I have noticed a lot of failed attempts to login and I'd like to start compiling a database of these IP addresses.

Thank you - Chung in NYC

[toolman]

I'm sorry to say that that logfile is indeed very limited and I haven't found any other logfile with relevant information about security-issues like who is trying to log in.
Since my Subsonic server is the target of some scriptkiddies trying to hack my server I just check my logfile daily and block ip-adresses trying to log in and reporting them on https://www.abuseipdb.com/. I think it's a pity that Sindre forgot to pay some more attention to the security of Subsonic. I would like some features like a lock-out on X failed log in attempts and renaming or removing the admin-account and saving the logfiles on a daily basis.

[G8DHE]

Up until after version 6.0 the log had all that was needed;

Code: Select all

[2017-11-12 10:17:17,687] INFO JukeboxService - geoff starting jukebox for "The Magical Journeys of Andreas Vollenweider\15 - The Play of the Five Balls (from White Winds).mp3"
[2017-11-12 10:19:24,015] INFO LoginFailureLogger - Login failed for [fred] from [84.92.63.102]
[2017-11-12 10:19:29,343] INFO LoginFailureLogger - Login failed for [fred] from [84.92.63.102]
[2017-11-12 10:19:33,828] INFO LoginFailureLogger - Login failed for [fred] from [84.92.63.102]
[2017-11-12 10:22:56,359] DEBUG JukeboxService - Closed line com.sun.media.sound.DirectAudioDevice$DirectSDL@10ad6a4

I use a script for FTP to kick off scriptkiddies but not needed it for Subsonic to date, it can easily be modified to open the Subsonic log rather than the EventViewer log, and then route incoming IP connects to a non-existing device!

Code: Select all

' Push Event Viewer Alert
WScript.Echo("FTP IP Address blocker")
Wscript.Echo("Started @ "+FormatDateTime(Now,vbGeneralDate))
Set objWMIService = GetObject("winmgmts:{(security)}!root/cimv2")
Set eventSink = wscript.CreateObject("WbemScripting.SWbemSink", "EVSINK_")
strWQL = "Select * from __InstanceCreationEvent where TargetInstance isa  'Win32_NTLogEvent' and TargetInstance.SourceName = 'MSFTPSVC' and TargetInstance.EventCode = 100"
objWMIService.ExecNotificationQueryAsync eventSink,strWQL
WScript.Echo("Waiting for event")
'Keep it going forever
While (True)
Wscript.Sleep(1000)
Wend

Sub EVSINK_OnObjectReady(objObject, objAsyncContext)
Set objDictionary = CreateObject("Scripting.Dictionary")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLog = CreateObject("MSWC.IISLog")
Set WshShell = WScript.CreateObject("WScript.Shell")

' serverIP =  "93.97.160.198"
serverIP =  "84.92.63.102"
xMax = 3   'Max number of invalid login attempts
xLogFiles = 10000  'Max number of log files to keep in the folder before deleting them

Set objFolder = objFSO.GetFolder("W:\WEBSHARE\LogFiles\MSFTPSVC1\")
Set objFiles = objFolder.Files
For Each fileName In objFiles
  lastFile = fileName
  Set f = objFSO.GetFile(fileName)
' Do not delete files in my case
'  If f.DateCreated <= Date - xLogFiles Then objFSO.DeleteFile FileName, True
  Set f = Nothing
Next
WScript.Echo("Last File found - " + lastFile)

Set objFiles = Nothing
Set objFolder = Nothing

objLog.OpenLogFile lastFile, 1, "MSFTPSVC", 1, 0
While NOT objLog.AtEndOfLog
  objLog.ReadLogRecord
  clientIP = trim(objLog.ClientIP)
  xStatus = trim(objLog.ProtocolStatus)
  If xStatus = "530" AND NOT (clientIP = serverIP) then
   If objDictionary.Exists(ClientIP) Then
    objDictionary.Item(clientIP) = cStr(Clng(objDictionary.Item(clientIP)) + 1)
   Else
    objDictionary.Add  clientIP,"1"
   End If
  End If
Wend
objLog.CloseLogFiles 1

xTest = xTest
For Each xClient in objDictionary.Keys
  If Clng(objDictionary.Item(xClient)) < xMax then
   objDictionary.Remove(xClient)
  Else
   xTest = True
   WshShell.Run "ROUTE -p ADD " & xClient & " MASK 255.255.255.255 " & "192.168.1.250" & " METRIC 11", 1, True     
WScript.Echo("Blocked "+xClient+" IP @"+FormatDateTime(Now,vbGeneralDate))
  End If
Next

If xTest then WshShell.LogEvent 4, "FTP 530 Event(s) exceeded xMax occurrances. BAD ROUTE(s) assigned"

Set WshShell = Nothing
Set objLog = Nothing
Set objFSO = Nothing
Set objDictionary = Nothing
End Sub

[Krosscheck]

Thanks for the reply. I see several attempts every day. My temporary fix is to have my security software block the IP for an hour. I figure that the attacker will move on after that. I also keep a text file with IP addresses. But i do wish that there was a way to get the logs from Subsonic too.

I'm sorry to say that that logfile is indeed very limited and I haven't found any other logfile with relevant information about security-issues like who is trying to log in.
Since my Subsonic server is the target of some scriptkiddies trying to hack my server I just check my logfile daily and block ip-adresses trying to log in and reporting them on https://www.abuseipdb.com/. I think it's a pity that Sindre forgot to pay some more attention to the security of Subsonic. I would like some features like a lock-out on X failed log in attempts and renaming or removing the admin-account and saving the logfiles on a daily basis.

[Krosscheck]

Thanks! I just wish that we could specify how long to keep the logs. Right now, the log seems to only keep about 20 lines before overwriting it...

[quote="G8DHE"]Up until after version 6.0 the log had all that was needed;
I use a script for FTP to kick off scriptkiddies but not needed it for Subsonic to date, it can easily be modified to open the Subsonic log rather than the EventViewer log, and then route incoming IP connects to a non-existing device!

[toolman]

Thanks! I just wish that we could specify how long to keep the logs. Right now, the log seems to only keep about 20 lines before overwriting it...

I don't know on what basis the logfile gets erased, but it's certainly not based on length or age.
My logfile reads:

[11/11/17 4:13:28 PM CET] INFO MediaScannerService Scanned media library with 182000 entries.
[11/11/17 4:13:29 PM CET] INFO MediaScannerService Scanned media library with 182250 entries.
[11/11/17 4:13:30 PM CET] INFO MediaScannerService Scanned media library with 182500 entries.
[11/11/17 4:13:31 PM CET] INFO MediaScannerService Scanned media library with 182750 entries.
[11/11/17 4:13:32 PM CET] INFO MediaScannerService Scanned media library with 183000 entries.
[11/11/17 4:13:33 PM CET] INFO MediaScannerService Scanned media library with 183250 entries.
[11/11/17 4:13:34 PM CET] INFO MediaScannerService Scanned media library with 183500 entries.
[11/11/17 4:13:35 PM CET] INFO MediaScannerService Scanned media library with 183750 entries.
[11/11/17 4:13:36 PM CET] INFO MediaScannerService Scanned media library with 184000 entries.
[11/11/17 4:13:37 PM CET] INFO MediaScannerService Scanned media library with 184250 entries.
[11/11/17 4:13:38 PM CET] INFO MediaScannerService Scanned media library with 184500 entries.
[11/11/17 4:13:39 PM CET] INFO MediaScannerService Scanned media library with 184750 entries.
[11/11/17 4:13:40 PM CET] INFO MediaScannerService Scanned media library with 185000 entries.
[11/11/17 4:13:41 PM CET] INFO MediaScannerService Scanned media library with 185250 entries.
[11/11/17 4:13:42 PM CET] INFO MediaScannerService Scanned media library with 185500 entries.
[11/11/17 4:13:43 PM CET] INFO MediaScannerService Scanned media library with 185750 entries.
[11/11/17 4:13:44 PM CET] INFO MediaScannerService Scanned media library with 186000 entries.
[11/11/17 4:13:45 PM CET] INFO MediaScannerService Scanned media library with 186250 entries.
[11/11/17 4:13:45 PM CET] INFO MediaScannerService Scanned media library with 186500 entries.
[11/11/17 4:13:47 PM CET] INFO MediaScannerService Scanned media library with 186750 entries.
[11/11/17 4:13:48 PM CET] INFO MediaScannerService Scanned media library with 187000 entries.
[11/11/17 4:13:49 PM CET] INFO MediaScannerService Scanned media library with 187250 entries.
[11/11/17 4:13:50 PM CET] INFO MediaScannerService Scanned media library with 187500 entries.
[11/11/17 4:13:51 PM CET] INFO MediaScannerService Scanned media library with 187750 entries.
[11/11/17 4:13:52 PM CET] INFO MediaScannerService Scanned media library with 188000 entries.
[11/11/17 4:13:53 PM CET] INFO MediaScannerService Scanned media library with 188250 entries.
[11/11/17 4:13:54 PM CET] INFO MediaScannerService Scanned media library with 188500 entries.
[11/11/17 4:13:54 PM CET] INFO MediaScannerService Scanned media library with 188750 entries.
[11/11/17 4:13:55 PM CET] INFO MediaScannerService Scanned media library with 189000 entries.
[11/11/17 4:13:56 PM CET] INFO MediaScannerService Scanned media library with 189250 entries.
[11/11/17 4:13:57 PM CET] INFO MediaScannerService Scanned media library with 189500 entries.
[11/11/17 4:13:58 PM CET] INFO MediaScannerService Scanned media library with 189750 entries.
[11/11/17 4:13:59 PM CET] INFO MediaScannerService Scanned media library with 190000 entries.
[11/11/17 4:14:00 PM CET] INFO MediaScannerService Scanned media library with 190250 entries.
[11/11/17 4:14:01 PM CET] INFO MediaScannerService Scanned media library with 190500 entries.
[11/11/17 4:14:02 PM CET] INFO MediaScannerService Scanned media library with 190750 entries.
[11/11/17 4:14:03 PM CET] INFO MediaScannerService Scanned media library with 191000 entries.
[11/11/17 4:14:04 PM CET] INFO MediaScannerService Scanned media library with 191250 entries.
[11/11/17 4:14:05 PM CET] INFO MediaScannerService Scanned media library with 191409 entries.
[11/11/17 4:14:05 PM CET] INFO MediaScannerService Marking non-present files.
[11/11/17 4:14:13 PM CET] INFO MediaScannerService Marking non-present artists.
[11/11/17 4:14:13 PM CET] INFO MediaScannerService Marking non-present albums.
[11/11/17 4:14:13 PM CET] INFO MediaScannerService Completed media library scan.
[11/11/17 4:14:16 PM CET] INFO PlaylistService Starting playlist import.
[11/11/17 4:14:16 PM CET] INFO PlaylistService Completed playlist import.
[11/11/17 5:14:45 PM CET] INFO InternetRadioStreamController Starting converter for radio: c:\subsonic\transcode\ffmpeg -i
[11/12/17 2:23:52 PM CET] INFO PodcastService Starting scheduled Podcast refresh.
[11/12/17 2:23:52 PM CET] INFO PodcastService Completed scheduled Podcast refresh.
[11/13/17 2:23:52 PM CET] INFO PodcastService Starting scheduled Podcast refresh.
[11/13/17 2:23:52 PM CET] INFO PodcastService Completed scheduled Podcast refresh.

That's more than 20 lines and also spanning almost 3 days.
I guess I could write a batchfile which copies the logfile every day to some location where it doesn't get overwritten or deleted.