Record the incoming IP in WebTop 5 log file (/var/log/webtop/webtop.log)

GG_jr · February 24, 2017, 10:08pm

I talked with @stephdl about the possibility to create a jail for WT 5 in his F2B version for NS7.
To do this new feature, in WT 5 log file (/var/log/webtop/webtop.log) is mandatory to be recorded the incoming IP of the client who need to connect to WT 5.
Could you do that?

TIA,
Gabriel

giacomo · February 25, 2017, 6:16pm

There is already an access log file inside /var/lib/tomcats/webtop/logs.

GG_jr · February 25, 2017, 10:34pm

Unfortunately, the only IP is 127.0.0.1.
And no error messages in case of wrong login (the last login, 26/Feb/2017:00:26:06 +0200, is with wrong password).

EDIT (corrected):

In “/var/log/webtop/webtop.log” there are error messages, but no IPs:

[ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

giacomo · February 26, 2017, 9:03am

It seemes I need to change tomcat config: http://www.techstacks.com/howto/configure-access-logging-in-tomcat.html

giacomo · February 27, 2017, 1:11pm

I added the feature in last the RPM from nethserver-testing.

GG_jr · February 27, 2017, 6:50pm

cc @stephdl

Thank you Giacomo!

Updated WebTop 5 from nethserver-testing with the last rpm.
Now, in /var/lib/tomcats/webtop/logs, both IPs (WAN and LAN) are recorded.

Foolish questions: because I don’t see in “/var/lib/tomcats/webtop/logs” the errors of the bad logins, to create jail and filter for WT 5 in F2B, can be read the IPs from one log file and the errors from other log file (“/var/log/webtop/webtop.log”)?

If yes, the synchro between the IP and the error can be made by time and date even if the format isn’t the same?.

10.0.0.1 - - [27/Feb/2017:20:18:26 +0200] “POST /webtop/login HTTP/1.1” 200 5492 “https://mail.nshosting.abt.ro/webtop/” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0”

2017-02-27 20:18:26 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

stephdl · February 27, 2017, 8:56pm

I suppose the line above is done after a failed attempt ?

Do I’m right @GG_jr

the filter could be like this in /etc/fail2ban/filter.d/webtop

[Definition]
#this filter is made against brute force attack to webtop
# Author Stephane de Labrusse <stephdl@de-labrusse.fr>

failregex =^<HOST>.-.-.\[.*\] "POST /webtop/login HTTP/1.1" 200
ignoreregex =

and in jail.local

[webtop]
enabled = true
port=?
logpath = /var/lib/tomcats/webtop/logs*

@giacomo what is the port please

GG_jr · February 28, 2017, 4:42am

Hi @stephdl ,

Yes, you are right!

I will send during this day samples from both log files, for correct login and failed attempt.

GG_jr · February 28, 2017, 8:19am

Bad login from LAN:

from /var/log/webtop/webtop.log:

2017-02-28 10:01:32 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

from /var/lib/tomcats/webtop/logs:

192.168.1.226 - - [28/Feb/2017:10:01:32 +0200] “POST /webtop/login HTTP/1.1” 200 5492 “https://mail.nshosting.abt.ro/webtop/” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0”

Good login from LAN:

from /var/lib/tomcats/webtop/logs:

192.168.1.226 - - [28/Feb/2017:10:13:23 +0200] “POST /webtop/login HTTP/1.1” 302 - “https://mail.nshosting.abt.ro/webtop/” "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
192.168.1.226 - - [28/Feb/2017:10:13:24 +0200] “GET /webtop/ HTTP/1.1” 200 12289 “https://mail.nshosting.abt.ro/webtop/” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0”

giacomo · March 1, 2017, 2:28pm

You shouldn’t need to search the information on multiple logs, since WebTop should log a 401 (UNAUTHORIZED) http response if the login fails.

But it seems it always logs a 200 status.
@matteo.albinola @gabriele_bulfon do you think we can improve the http response code?

matteo.albinola · March 1, 2017, 4:45pm

If you are interested in the details of a login attempt you can look into the “core”.“syslog” DB table.
In this table we dump some data (like timestamp, user, service, IP, etc…) about events of the platform.
You should look for “LOGIN” and “LOGIN_FAILURE” keys in the action column.

This kind of logging can be enabled in this way:
INSERT INTO “core”.“settings” (“service_id”, “key”, “value”) VALUES (‘com.sonicle.webtop.core’, ‘syslog.enabled’, ‘true’);

I hope that this is suitable for your needs otherwise i will investigate the possibility to change the response code.

stephdl · March 1, 2017, 4:55pm

@giacomo the line in tomcat log is fair enough to ban an attacker, I don’t mind what it is, it just need to match my regex

@matteo.albinola, fail2ban only matches regex in logs, not in database

giacomo · March 1, 2017, 4:58pm

Fine, but you need to distinguish between failed and successful login attempts. AFAIK this is usually done using the http status code.

Am I wrong?

stephdl · March 1, 2017, 5:03pm

like you can see above, good login are different of bad login therefore I can create a regex for matching the bad login…I’m not (only) looking for the http status, but on the line match

it will do something like this

stephdl · October 21, 2018, 9:35am

back on this, it is on my todo

stephdl · October 21, 2018, 5:23pm

stephdl · October 24, 2018, 6:58am

Testers are needed to verify the works, please look at the QA