Record the incoming IP in WebTop 5 log file (/var/log/webtop/webtop.log)

Hello
@gabriele_bulfon ,
@giacomo ,

I talked with @stephdl about the possibility to create a jail for WT 5 in his F2B version for NS7.
To do this new feature, in WT 5 log file (/var/log/webtop/webtop.log) is mandatory to be recorded the incoming IP of the client who need to connect to WT 5.
Could you do that?

TIA,
Gabriel

3 Likes

There is already an access log file inside /var/lib/tomcats/webtop/logs.

1 Like

Unfortunately, the only IP is 127.0.0.1.
And no error messages in case of wrong login (the last login, 26/Feb/2017:00:26:06 +0200, is with wrong password).

EDIT (corrected):

In “/var/log/webtop/webtop.log” there are error messages, but no IPs:

[ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]


It seemes I need to change tomcat config: http://www.techstacks.com/howto/configure-access-logging-in-tomcat.html

2 Likes

I added the feature in last the RPM from nethserver-testing.

2 Likes

cc @stephdl

Thank you Giacomo!

Updated WebTop 5 from nethserver-testing with the last rpm.
Now, in /var/lib/tomcats/webtop/logs, both IPs (WAN and LAN) are recorded.

Foolish questions: because I don’t see in “/var/lib/tomcats/webtop/logs” the errors of the bad logins, to create jail and filter for WT 5 in F2B, can be read the IPs from one log file and the errors from other log file ("/var/log/webtop/webtop.log")?

If yes, the synchro between the IP and the error can be made by time and date even if the format isn’t the same?.

10.0.0.1 - - [27/Feb/2017:20:18:26 +0200] “POST /webtop/login HTTP/1.1” 200 5492 “https://mail.nshosting.abt.ro/webtop/” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0”

2017-02-27 20:18:26 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

I suppose the line above is done after a failed attempt ?

Do I’m right @GG_jr

the filter could be like this in /etc/fail2ban/filter.d/webtop

[Definition]
#this filter is made against brute force attack to webtop
# Author Stephane de Labrusse <stephdl@de-labrusse.fr>

failregex =^<HOST>.-.-.\[.*\] "POST /webtop/login HTTP/1.1" 200
ignoreregex =

and in jail.local

[webtop]
enabled = true
port=?
logpath = /var/lib/tomcats/webtop/logs*

@giacomo what is the port please

Hi @stephdl ,

Yes, you are right!

I will send during this day samples from both log files, for correct login and failed attempt.

Bad login from LAN:

from /var/log/webtop/webtop.log:

2017-02-28 10:01:32 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error com.sonicle.security.auth.DirectoryException: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

from /var/lib/tomcats/webtop/logs:

192.168.1.226 - - [28/Feb/2017:10:01:32 +0200] “POST /webtop/login HTTP/1.1” 200 5492 “https://mail.nshosting.abt.ro/webtop/” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0”

Good login from LAN:

from /var/lib/tomcats/webtop/logs:

192.168.1.226 - - [28/Feb/2017:10:13:23 +0200] “POST /webtop/login HTTP/1.1” 302 - “https://mail.nshosting.abt.ro/webtop/” "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
192.168.1.226 - - [28/Feb/2017:10:13:24 +0200] “GET /webtop/ HTTP/1.1” 200 12289 “https://mail.nshosting.abt.ro/webtop/” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0”

1 Like

You shouldn’t need to search the information on multiple logs, since WebTop should log a 401 (UNAUTHORIZED) http response if the login fails.

But it seems it always logs a 200 status.
@matteo.albinola @gabriele_bulfon do you think we can improve the http response code?

1 Like

If you are interested in the details of a login attempt you can look into the “core”.“syslog” DB table.
In this table we dump some data (like timestamp, user, service, IP, etc…) about events of the platform.
You should look for “LOGIN” and “LOGIN_FAILURE” keys in the action column.

This kind of logging can be enabled in this way:
INSERT INTO “core”.“settings” (“service_id”, “key”, “value”) VALUES (‘com.sonicle.webtop.core’, ‘syslog.enabled’, ‘true’);

I hope that this is suitable for your needs otherwise i will investigate the possibility to change the response code.

@giacomo the line in tomcat log is fair enough to ban an attacker, I don’t mind what it is, it just need to match my regex :slight_smile:

@matteo.albinola, fail2ban only matches regex in logs, not in database

Fine, but you need to distinguish between failed and successful login attempts. AFAIK this is usually done using the http status code.

Am I wrong?

like you can see above, good login are different of bad login therefore I can create a regex for matching the bad login…I’m not (only) looking for the http status, but on the line match

it will do something like this

2 Likes

back on this, it is on my todo

2 Likes
5 Likes

Testers are needed to verify the works, please look at the QA

2 Likes