webtop.log)

GG_jr (Gabriel GHEORGHIU) 2017-02-24 22:08:39 UTC #1

I talked with @stephdl about the possibility to create a jail for WT 5 in his F2B version for NS7.
To do this new feature, in WT 5 log file (/var/log/webtop/webtop.log) is mandatory to be recorded the incoming IP of the client who need to connect to WT 5.
Could you do that?

TIA,
Gabriel

giacomo (Giacomo Sanchietti) 2017-02-25 18:16:32 UTC #2

There is already an access log file inside /var/lib/tomcats/webtop/logs.

GG_jr (Gabriel GHEORGHIU) 2017-02-25 22:34:45 UTC #3

Unfortunately, the only IP is 127.0.0.1.
And no error messages in case of wrong login (the last login, 26/Feb/2017:00:26:06 +0200, is with wrong password).

EDIT (corrected):

In "/var/log/webtop/webtop.log" there are error messages, but no IPs:

[ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

giacomo (Giacomo Sanchietti) 2017-02-26 09:03:26 UTC #4

It seemes I need to change tomcat config: http://www.techstacks.com/howto/configure-access-logging-in-tomcat.html

giacomo (Giacomo Sanchietti) 2017-02-27 13:11:47 UTC #5

I added the feature in last the RPM from nethserver-testing.

GG_jr (Gabriel GHEORGHIU) 2017-02-27 18:50:59 UTC #6

cc @stephdl

Thank you Giacomo!

Updated WebTop 5 from nethserver-testing with the last rpm.
Now, in /var/lib/tomcats/webtop/logs, both IPs (WAN and LAN) are recorded.

Foolish questions: because I don't see in "/var/lib/tomcats/webtop/logs" the errors of the bad logins, to create jail and filter for WT 5 in F2B, can be read the IPs from one log file and the errors from other log file ("/var/log/webtop/webtop.log")?

If yes, the synchro between the IP and the error can be made by time and date even if the format isn't the same?.

10.0.0.1 - - [27/Feb/2017:20:18:26 +0200] "POST /webtop/login HTTP/1.1" 200 5492 "https://mail.nshosting.abt.ro/webtop/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"

2017-02-27 20:18:26 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

stephdl (Stéphane de Labrusse) 2017-02-27 20:56:53 UTC #7

I suppose the line above is done after a failed attempt ?

Do I'm right @GG_jr

the filter could be like this in /etc/fail2ban/filter.d/webtop

[Definition]
#this filter is made against brute force attack to webtop
# Author Stephane de Labrusse <stephdl@de-labrusse.fr>

failregex =^<HOST>.-.-.\[.*\] "POST /webtop/login HTTP/1.1" 200
ignoreregex =

and in jail.local

[webtop]
enabled = true
port=?
logpath = /var/lib/tomcats/webtop/logs*

@giacomo what is the port please

GG_jr (Gabriel GHEORGHIU) 2017-02-28 04:42:35 UTC #8

Hi @stephdl ,

Yes, you are right!

I will send during this day samples from both log files, for correct login and failed attempt.

GG_jr (Gabriel GHEORGHIU) 2017-02-28 08:19:07 UTC #9

Bad login from LAN:

from /var/log/webtop/webtop.log:

2017-02-28 10:01:32 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

from /var/lib/tomcats/webtop/logs:

192.168.1.226 - - [28/Feb/2017:10:01:32 +0200] "POST /webtop/login HTTP/1.1" 200 5492 "https://mail.nshosting.abt.ro/webtop/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"

Good login from LAN:

from /var/lib/tomcats/webtop/logs:

192.168.1.226 - - [28/Feb/2017:10:13:23 +0200] "POST /webtop/login HTTP/1.1" 302 - "https://mail.nshosting.abt.ro/webtop/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
192.168.1.226 - - [28/Feb/2017:10:13:24 +0200] "GET /webtop/ HTTP/1.1" 200 12289 "https://mail.nshosting.abt.ro/webtop/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"

giacomo (Giacomo Sanchietti) 2017-03-01 14:28:46 UTC #10

You shouldn't need to search the information on multiple logs, since WebTop should log a 401 (UNAUTHORIZED) http response if the login fails.

But it seems it always logs a 200 status.
@matteo.albinola @gabriele_bulfon do you think we can improve the http response code?

matteo.albinola (Matteo Albinola) 2017-03-01 16:45:31 UTC #11

If you are interested in the details of a login attempt you can look into the "core"."syslog" DB table.
In this table we dump some data (like timestamp, user, service, IP, etc...) about events of the platform.
You should look for "LOGIN" and "LOGIN_FAILURE" keys in the action column.

This kind of logging can be enabled in this way:
INSERT INTO "core"."settings" ("service_id", "key", "value") VALUES ('com.sonicle.webtop.core', 'syslog.enabled', 'true');

I hope that this is suitable for your needs otherwise i will investigate the possibility to change the response code.

stephdl (Stéphane de Labrusse) 2017-03-01 16:55:18 UTC #12

@giacomo the line in tomcat log is fair enough to ban an attacker, I don't mind what it is, it just need to match my regex

@matteo.albinola, fail2ban only matches regex in logs, not in database

giacomo (Giacomo Sanchietti) 2017-03-01 16:58:53 UTC #13

Fine, but you need to distinguish between failed and successful login attempts. AFAIK this is usually done using the http status code.

Am I wrong?

stephdl (Stéphane de Labrusse) 2017-03-01 17:03:48 UTC #14

like you can see above, good login are different of bad login therefore I can create a regex for matching the bad login...I'm not (only) looking for the http status, but on the line match

it will do something like this