#1609 Howto write failed login attempts to logfile?

[Alexander Kallenbach]

Hallo,

I want to save my server running MRBS using fail2ban. Fail2ban is able to read log files and, if there are to many failed login attempts, to ban the IP from which these attempts are coming.

Therefore I want to write failed login attempts to a log file. How can I archieve this?

Thanks in advance!

[Alexander Kallenbach]

I want to secure ....

[Treblig]

You may have noticed whenever there's a failed login, a "$vocab['unknown_user']" message is being displayed (see function PrintLogonBox). Simply write an appropriate log function that's called whenever the message is displayed.

[Anonymous]

It might be easier to do it in the function authValidateUser() in the appropriate auth file (eg auth/auth_db.inc), or else in the appropriate session file (eg session/session_php.inc) just after authValidateUser() has been called.

[Campbell Morrison]

Sorry - that was me above. Forgot to login.

[Alexander Kallenbach]

Created an error_log entry in the auth_ldap.inc. Thanks for your help!

[M B]

We have a similar need - we would like to log failed logins so we can review them.
What changes would be need to do for this?
We run MRBS 1.8.0 in case that matters.
Thanks!

[Campbell Morrison]

Which authentication scheme are you using?

[M B]

Sorry for not being precise. We also use LDAP.
I found the LDAP debug flag but I'd rather not have ALL the ldap information logged.

[Campbell Morrison]

Assuming you're using the 'php' session scheme then you'll need to modify session/session_php.inc and insert some code in the block (lines 129-134)

      if (($valid_username = authValidateUser($username, $password)) === false)
      {
        // Do something here, eg write failed attempt to the database
        print_header();
        print_login_form(this_page(), $target_url, $returl, get_vocab('unknown_user'));
        exit();
      }

However the structure of the code has changed in 1.9.2 and you might be better off upgrading to 1.9.2 first. Then the equivalent block is lines 136-140 in lib/MRBS/Session/SessionWithLogin.php

    if (($valid_username = \MRBS\auth()->validateUser($this->form['username'], $this->form['password'])) === false)
    {
      // Do something here, eg write failed attempt to the database
      $this->authGet($this->form['target_url'], $this->form['returl'], \MRBS\get_vocab('unknown_user'));
      exit(); // unnecessary because authGet() exits, but just included for clarity
    }

[M B]

Thanks a lot for the super fast support! I will try this asap.
Why did Alex above refer to auth_ldap.inc whereas you refer to session_php.inc?

[Campbell Morrison]

Both will work. Doing it in session_php.inc will cover all authentication types. (I realised I didn't need to ask what authentication type you were using.)

[M B]

adding a simple

error_log("Failed login " . $userName);

to session/session_php.inc after line 129 worked perfectly fine. Thanks!