Home :: Forums :: Development :: Feature request discussion

PROJECT PIER And SECURITY ACCESS

By albatros88 - Posted on February 6th, 2011
Tagged:  

Hi
Many project try to secure brut force attack on login page by adding code to catch ip adress and many others informations to block workstation.
As many system admin i use IDS software like ossec who work very well for this attack type.
And now i let ossec work this job.

Now in my developpements, and simply, on login page unsuccesfull, i log in vhost error log
this :
user [login posted]: authentication failure for "[Dir or page asked]": Password Mismatch

So i suggest you to include this code when login fail and server who's using ids cause protection include in ids rules. ex: in ossec, workstation is blocked by firewall rules during 15 minutes when ossec detect a brut force attack (ids rules : many authentication failure in http log) :

My code :

class helper_apache2{
private static function addlog($erreur){
/*
* erreur : string
*/
if (error_log($erreur)) return true;
echoB("Error during write data in error log apache");die;
}
public static function erreurAuthent($d){
/*
* $d : string[] must contain login
*/
$user = null;
if (isset($d['login']) && $d['login'] != '') $user = $d['login'];
$message = "user $user: authentication failure for \"" . $_SERVER['REQUEST_URI'] . "\": Password Mismatch";
header("HTTP/1.1 401 Unauthorized");
return helper_apache2::addlog($message);
}
}

In login process code where unsuccessfull login, call :
helper_apache2::erreurAuthent($d)
where $d like $d = array('login' => [login posted],etc...)

Bests Regards

‹ Project Links and http:// detection Time used on task ›
Clear
Submitted by phpfreak on Sun, 02/06/2011 - 23:29.

I think the point you are making is this:

In case of login errors, log the error in the webserver error log file.

That way security packages can use the error log and execute their rules against the error log and take appropiate measures.

I agree and will fix development.

clear
Submitted by albatros88 on Tue, 02/08/2011 - 15:20.

Thanks to take my purpose in considération.
Bests Regards.

Yw
Submitted by phpfreak on Tue, 02/08/2011 - 22:01.

Change /application/controllers/AccessController.class.php
Insert this

          $date = date('Y-m-d h:i:s');
          error_log("$date: user [$username]: authentication failure: Password Mismatch");

after this (line 91)

          tpl_assign('error', new Error(lang('invalid login data')));
Yw
Submitted by albatros88 on Wed, 02/09/2011 - 12:10.

In fact there is 2 tests :
Is valid user and is valid password so we must write :
And we can forget datetime because it's add by apache server

$user = Users::getByUsername($username, owner_company());
if (!($user instanceof User)) {
tpl_assign('error', new Error(lang('invalid login data')));
error_log("user [$username]: authentication failure: Password Mismatch");
$this->render();
} // if

if (!$user->isValidPassword($password)) {
tpl_assign('error', new Error(lang('invalid login data')));
error_log("user [$username]: authentication failure: Password Mismatch");
$this->render();
} // if

Ive implement this code and tested with OSSEC ids and it works fine !!

Bests Regards