Are attempts to log in via web interface logged?

[RandomUsername]

Hi all,

Does anyone know if attempts to log into the B2's web interface are logged anywhere? I assumed they'd be in auth.log but that doesn't seem to be the case.

A trawl through all my other log files would suggest that they're not but I'd like confirmation.

Thanks.

Darren.

[Cheeseboy]

Hi Darren,

After some experiments, I concur.
No trace under /var/log anyway, either for a wrong password for an existing user, or a completely invalid combo.

I was starting to try to strace apache to find out what was going on, but then I realized I have no cause and I'm too tired, and I shouldn't get so involved again all the time...

Cheers,

Cheeseboy

[RandomUsername]

Thanks for confirming. I wouldn't mind an indication if someone is repeatedly attempting to log on to my server.

[6feet5]

Hi,

One way (may not be the best way, I wouldn't know since I'm no expert) is to add one line in the file "/usr/share/web-admin/admin/models/auth_model.php". Locate the "Login" method and go to the else-statement (where it says "do nothing on failed attempt") and add the following line (just above the "do nothing.."-comment, or just above the return statement)

Code: Select all

syslog( LOG_WARNING, "Failed login attempt: Tried to login as '$username' from {$_SERVER['REMOTE_ADDR']} (using '{$_SERVER['HTTP_USER_AGENT']}')");

This will add a message to the "/var/log/messages" on each failed login attempt with some info that might be of interest.

As I mentioned, I'm no expert, so there may be security issues with this. And be sure to backup the file before you do anything

/Johan

[RandomUsername]

Thanks Johan, I'll look into giving that a try.

[RandomUsername]

Works a treat. Thanks!

[DanielM]

Code: Select all

syslog( LOG_WARNING, "Failed login attempt: Tried to login as '$username' from {$_SERVER['REMOTE_ADDR']} (using '{$_SERVER['HTTP_USER_AGENT']}')");

Can't really understand why nothing like this was there from the start. Could you send that code line to Excito and suggest that they put it in their official code?

/Daniel

[Ubi]

i was thinking exactly that

[RandomUsername]

Not taking credit for Johan's work but I've taken the liberty of sending this to Excito.

Cheers.

Darren.

[Magnus]

Thanks for highlighting this.
Will add this as a feature request.

[kjellberg]

Lovely!
If someone could just figure out a way to get rid of all the Cron printouts in the syslog aswell and the log would be really usefull!

[6feet5]

Thanks Darren,

And while we wait for the official version, replace previous code with

Code: Select all

openlog("web-admin", LOG_ODELAY, LOG_AUTHPRIV);
syslog( LOG_WARNING, "Failed login attempt: Tried to login as '$username' from {$_SERVER['REMOTE_ADDR']} (using '{$_SERVER['HTTP_USER_AGENT']}')");
closelog();

This will make the log entry end up in /var/log/auth.log (which I think is the right place, correct me if I'm wrong). Also, the application will be identified as web-admin instead of the apache php module.

/Johan

[RandomUsername]

Thanks Johan, I'll give it a whirl.

[EDIT]As this is going to get written to auth.log any ideas if this would show up in logwatch? If not, does anyone know how to add it?

[EDIT 2]It looked quite complicated at first but this: http://my.opera.com/Andrew%20Gregory/bl ... o-logwatch makes it sound quite simple. A simple script grepping auth.log for the appropriate output should be good enough.

[EDIT 3]With Johan's change it looks like these are now picked up by logwatch under the heading

Connections (secure-log) Begin

Sweet!

[Cheeseboy]

Thanks!
Implemented.

Code: Select all

Apr  9 00:30:29 b3 web-admin: Failed login attempt: Tried to login as 'monkey' from 192.168.10.65 (using 'Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.16) Gecko/20110323 Ubuntu/10.04 (lucid) Firefox/3.6.16')

[Cheeseboy]

As this is going to get written to auth.log any ideas if this would show up in logwatch?

I use logcheck. This is in the email I get from it, without any changes apart from the above:

Code: Select all

Apr  9 00:30:29 b3 web-admin: Failed login attempt: Tried to login as 'monkey' from 192.168.10.65 (using 'Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.16) Gecko/20110323 Ubuntu/10.04 (lucid) Firefox/3.6.16')