Subsonic Forum

[mgrant]

My apologies if this has already been requested. I searched and did not find a previous request.

I'd like a way to tell if people are attempting and failing to login. At the least I'd like to know the IP address and username. Additionally it would be useful to me (though perhaps not desirable in general) to know what password the failed user tried.

Thanks,

-mg

[martin]

Hi,

I would like to have some logging of (at least) failed login attempts (and maybe successful logins too) in the subsonic.log file. As in the previuos post, the minimum additional information should be the source ip address and attempted username.
This information can be used on a subsonic server with internet access to ban the source ip address of an abusive user if someone tries either a DOS attack or makes dictionary based login attempts.
There is a software called "fail2ban" http://www.fail2ban.org/ which does exactly this and it needs a place where it can find the failed logins - which are usually logged in a logfile.

Unfortunately I am absolutely unexperienced with JAVA programming, but I am willing to implement it in subsonic myself... if someone could give me a hint where in the source code the login stuff is handled?!?

Greets from Berlin, Germany
Martin

[califrag]

Hello, just wanted to let anyone that reads this or goes to +1 this know that I plan to add this functionality and have already implemented the changes into a separate branch of Subsonic that I am developing. It will be up to Sindre if he wants to merge my changes into the main branch, but the option will be available.

Here is what it currently looks like. This will capture failed login attempts from remote or local addresses so you can differentiate whether it is a possible attack or someone in your house\on your network having problems logging in.

http://i.imgur.com/cFcSd.png

You can read more about my modifications and keep up to date with the changes in this thread:
viewtopic.php?f=8&t=8036

Please note that there is a small bug with it that I am currently trying to figure out.

The way it works is when the 'login.view' page is loaded with an 'error' attribute (after a bad login attempt), it generates the log warning.

The bug occurs when a user navigates to 'login.view?error' and skips logging in, it will still generate the warning, even though it wasn't an actual login attempt.
Also, if a user fails at login and hits 'refresh' it will keep generating the log warning.
I imagine this could lead to spamming the log file with failure warnings, so I'm trying to figure out how to capture that situation so it doesn't happen or figure a better way to generate the warning.
Anyways, it's a work in progress and I should be releasing a stable .war within the next day or two.

I'm not sure how to get the failed credentials yet, but once I can figure that out I will include the failed username in the log warning.

[eldustino]

I love Subsonic, but this (no logging) is a glaring security hole especially when you consider that its meant to be internet facing. I'm still amazed that auth attempts aren't logged anywhere.

[MReptile]

Hello Dear Community

Is it possible to configure subsonic, that it blocks a user account after someone has entered too much wrong passwords?
Or is it possible to let Windows decide, wheter the user schould be able to login or not? As ist can be done in Windows Server Group Policies. Block Account for 30 minutes.
This would increase security.

Furthermore I would like to know if it is possible to change the username of the "admin"-Account
This username is a little bit too known. ((-:

Despite of the things mentioned above I finally found, what I was looking for! I am going to donate soon.

Sorry for my bad English

Greetings MReptile

[ytechie]

The number of failed attempts allowed can be set using the acegi security framework. I tried working with it, but I don't know much about the spring framework and java in general.

[MReptile]

Thanks

I have absolutely no idea what you are talking about.
Do you have a Link to a howto or a link to further information?

Thank you very much.

Greetings MReptile

[ytechie]

acegi is a framework that is used in subsonic for the security functions such as logins and user restrictions. There are lots of resources out there, just google "acegi max attempts" and that should get you rolling.

[MReptile]

I have been searching for days

No luck so far. Please consider that i have no programming experience. It should be a easy solution or a step by step guide.

[ytechie]

I don't know much about it either. I just thought that I would share the extent of what I know about subsonic's security backend.

[BKKKPewsey]

In a moment of boredom I just did a bit of google searching and found this:

http://www.harinair.com/2010/02/spring- ... t-lockout/

It appears to be written in English with lots of gobbledygook between
Hope it may help someone who understands these things