Log failed login attempts

Got an idea? Missing something? Post your feature request here.

Moderator: moderators

Log failed login attempts

Postby mgrant » Tue May 12, 2009 12:19 am

My apologies if this has already been requested. I searched and did not find a previous request.

I'd like a way to tell if people are attempting and failing to login. At the least I'd like to know the IP address and username. Additionally it would be useful to me (though perhaps not desirable in general) to know what password the failed user tried.

Thanks,

-mg
mgrant
 
Posts: 76
Joined: Mon Mar 03, 2008 1:15 am

Re: Log failed login attempts

Postby martin » Mon Oct 10, 2011 5:53 am

Hi,

I would like to have some logging of (at least) failed login attempts (and maybe successful logins too) in the subsonic.log file. As in the previuos post, the minimum additional information should be the source ip address and attempted username.
This information can be used on a subsonic server with internet access to ban the source ip address of an abusive user if someone tries either a DOS attack or makes dictionary based login attempts.
There is a software called "fail2ban" http://www.fail2ban.org/ which does exactly this and it needs a place where it can find the failed logins - which are usually logged in a logfile.

Unfortunately I am absolutely unexperienced with JAVA programming, but I am willing to implement it in subsonic myself... if someone could give me a hint where in the source code the login stuff is handled?!?

Greets from Berlin, Germany
Martin
martin
 
Posts: 3
Joined: Sun Oct 09, 2011 9:18 am

Re: Log failed login attempts

Postby califrag » Tue Oct 25, 2011 3:22 am

Hello, just wanted to let anyone that reads this or goes to +1 this know that I plan to add this functionality and have already implemented the changes into a separate branch of Subsonic that I am developing. It will be up to Sindre if he wants to merge my changes into the main branch, but the option will be available.

Here is what it currently looks like. This will capture failed login attempts from remote or local addresses so you can differentiate whether it is a possible attack or someone in your house\on your network having problems logging in.

http://i.imgur.com/cFcSd.png

You can read more about my modifications and keep up to date with the changes in this thread:
viewtopic.php?f=8&t=8036

Please note that there is a small bug with it that I am currently trying to figure out.

The way it works is when the 'login.view' page is loaded with an 'error' attribute (after a bad login attempt), it generates the log warning.

The bug occurs when a user navigates to 'login.view?error' and skips logging in, it will still generate the warning, even though it wasn't an actual login attempt.
Also, if a user fails at login and hits 'refresh' it will keep generating the log warning.
I imagine this could lead to spamming the log file with failure warnings, so I'm trying to figure out how to capture that situation so it doesn't happen or figure a better way to generate the warning.
Anyways, it's a work in progress and I should be releasing a stable .war within the next day or two.

I'm not sure how to get the failed credentials yet, but once I can figure that out I will include the failed username in the log warning.
califrag
 
Posts: 72
Joined: Mon Sep 26, 2011 3:43 am

Re: Log failed login attempts

Postby eldustino » Tue Jan 10, 2012 4:18 pm

I love Subsonic, but this (no logging) is a glaring security hole especially when you consider that its meant to be internet facing. I'm still amazed that auth attempts aren't logged anywhere.
eldustino
 
Posts: 1
Joined: Tue Jan 10, 2012 4:10 pm

Re: Log failed login attempts

Postby MReptile » Sun Jan 15, 2012 12:39 am

Hello Dear Community

Is it possible to configure subsonic, that it blocks a user account after someone has entered too much wrong passwords?
Or is it possible to let Windows decide, wheter the user schould be able to login or not? As ist can be done in Windows Server Group Policies. Block Account for 30 minutes.
This would increase security.

Furthermore I would like to know if it is possible to change the username of the "admin"-Account
This username is a little bit too known. ((-:

Despite of the things mentioned above I finally found, what I was looking for! I am going to donate soon.

Sorry for my bad English

Greetings MReptile
MReptile
 
Posts: 6
Joined: Sun Jan 15, 2012 12:28 am

Re: Log failed login attempts

Postby ytechie » Sun Jan 15, 2012 1:32 am

The number of failed attempts allowed can be set using the acegi security framework. I tried working with it, but I don't know much about the spring framework and java in general.
User avatar
ytechie
 
Posts: 547
Joined: Sun Dec 12, 2010 5:05 am
Location: Manhattan, New York

Re: Log failed login attempts

Postby MReptile » Sun Jan 15, 2012 3:46 pm

Thanks

I have absolutely no idea what you are talking about.
Do you have a Link to a howto or a link to further information?

Thank you very much.

Greetings MReptile
MReptile
 
Posts: 6
Joined: Sun Jan 15, 2012 12:28 am

Re: Log failed login attempts

Postby ytechie » Sun Jan 15, 2012 7:53 pm

acegi is a framework that is used in subsonic for the security functions such as logins and user restrictions. There are lots of resources out there, just google "acegi max attempts" and that should get you rolling.
User avatar
ytechie
 
Posts: 547
Joined: Sun Dec 12, 2010 5:05 am
Location: Manhattan, New York

Re: Log failed login attempts

Postby MReptile » Fri Jan 20, 2012 5:23 pm

I have been searching for days

No luck so far. Please consider that i have no programming experience. It should be a easy solution or a step by step guide.
MReptile
 
Posts: 6
Joined: Sun Jan 15, 2012 12:28 am

Re: Log failed login attempts

Postby ytechie » Fri Jan 20, 2012 5:36 pm

I don't know much about it either. I just thought that I would share the extent of what I know about subsonic's security backend.
User avatar
ytechie
 
Posts: 547
Joined: Sun Dec 12, 2010 5:05 am
Location: Manhattan, New York

Re: Log failed login attempts

Postby BKKKPewsey » Fri Jan 20, 2012 6:08 pm

In a moment of boredom I just did a bit of google searching and found this:

http://www.harinair.com/2010/02/spring- ... t-lockout/

It appears to be written in English with lots of gobbledygook between :shock:
:lol: Hope it may help someone who understands these things :wink:
Everyone is entitled to be stupid, Image but some abuse the privilege!

Due to the confusion from too many genres of music, we have decided to put both country music and rap music into the genre of Crap music.
User avatar
BKKKPewsey
 
Posts: 2080
Joined: Mon May 23, 2011 12:16 pm
Location: United Kingdom


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 17 guests