View Issue Details

IDProjectCategoryView StatusLast Update
0009538Tine 2.0Tinebasepublic2018-03-22 07:04
ReporteringoratsdorfAssigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Platformi386OSlinuxOS Version3.2.0-24
Product Versionfeature requests 
Target Versionfeature requestsFixed in Version 
Summary0009538: Increase security by logging login failures to system log
DescriptionBrute force attacks are becoming more frequent.
I noticed that some people tried to login to my tine20 installation using standard account names ie "Tine20", "admin", "administrator" etc.

I recently installed ant-brute-force plugin to my joomla installation and had already the first few IP's blocked.

Tine records login and success/failures in the access log but who reads that? And it cannot be used by programs like fail2ban etc.

So could there be a facility to log unsuccessful login attempts to apache or system log or some other system available log file?
Steps To ReproduceTry to login with wrong user name or wrong password.

No error in any system log, is dmesg, auth, syslog, ...
Additional InformationIf an attacker tries to login with a wrong identity, we would like to block him after a few attempts. Not?
One could use fail2ban to do this if failure information was available to the underlaying system.

I noticed that such information is written into the tine20 logfile:
WARN (4): Tinebase_Controller::login::106 Login with username test from x.x.x.x failed (-1)!

However this would only be available with at least warning level log switched on. I usually have it on error.
So could such events be piped trough to syslog, ie like in the PHP examples:

syslog(LOG_WARNING, "Unauthorized client: $access {$_SERVER['REMOTE_ADDR']} ({$_SERVER['HTTP_USER_AGENT']})");
TagsNo tags attached.
mwticket

Activities

pschuele

pschuele

2014-01-15 14:00

administrator   ~0013268

maybe we could add an option to the setup "log authentication failures to syslog".

btw: here is a pull request for fail2ban by Lars with the filter for the Tine 2.0 logfile -> https://github.com/fail2ban/fail2ban/pull/583
ingoratsdorf

ingoratsdorf

2018-03-22 07:03

developer   ~0021554

Last edited: 2018-03-22 07:04

View 2 revisions

I see that tine20 now logs to the tine logfile after x (user defined) attempts of unsuccessful logins.
However, the login attempt is per user, so if someone tries all different usernames, then we could have a DDOS.
Secondly, I noticed that the log format was changed from what was published for fail2ban, meaning fail2ban does not work anymore.

Should the log file be set to "colorize", then fail2ban fails completely as it fails to work out the escape sequences. I tried whatever regex for fail2ban, if colorize is set, all fails. As soon as colorize is off, the regexps do work again.

config.inc.php:
'logger' =>
  array (
    'active' => true,
    'priority' => 4,
    'filename' => '/var/tine20/log/tine20.log',
    //'colorize' => true,
    //'tz' => 'Pacific/Auckland',
  ),

So if someone wants to get this going (again), I suggest to:
a) switch colorize off (if it is on)
b) use the following new regex: "^.*[\da-f]+ -- none -- - [\d\+:T\-]+ WARN \(\d+\): Tinebase_Controller::_loginFailed::\d+ Login with username .* from <HOST> failed"

Issue History

Date Modified Username Field Change
2014-01-15 00:40 ingoratsdorf New Issue
2014-01-15 13:15 pschuele Priority urgent => normal
2014-01-15 14:00 pschuele Note Added: 0013268
2018-03-22 07:03 ingoratsdorf Note Added: 0021554
2018-03-22 07:04 ingoratsdorf Note Edited: 0021554 View Revisions