Osticket: [BUG] Invalid Logins are not sent to log, because of this it is not possible to create a fail2ban jail.
Prerequisites
- [yes ] Can you reproduce the problem in a fresh installation of the "develop" branch? yes
- [no ] Do you have any errors in the PHP error log, or javascript console?
- [yes ] Did you check the osTicket forums?
- [yes ] Did you perform a cursory search to see if your bug or enhancement is already reported?
Description
It seems invalid login attempts with the IP address are not sent to the log file.
Steps to Reproduce
sudo tail -f /var/log/syslog
Now try and log in to osticket with invalid login name and password
It never gets sent to the log
Expected behavior: [What you expected to happen]
I expect that when an invalid login attempt happens it should get sent to the log file.
Actual behavior: [What actually happened]
Unfortunately it never got sent to the log.
Versions
Admin panel -> Dashboard -> Information which also additionally gives you information about your server.
Ubuntu 20.04
osTicket Version | v1.14.2 (cba6035)
Web Server Software | Apache/2.4.41 (Ubuntu)
MySQL Version | 8.0.22
PHP Version | 7.4.3
Notes
I do see that on the admin panel dashboard there is log info for invalid login attempts, but as far as I can tell these do not exist in any log files, so I am assuming they must be within the database, this prevents me from being able to use the fail2ban program. I have custom fail2ban actions, such as notifying a central server so that the offending IP is banned at the firewall at the edge of the network directly.
As far as I can tell its as easy as adding this snippet to your php page that handles the login process:
$ipaddress = getenv("REMOTE_ADDR");
openlog("phperrors", LOG_PID | LOG_PERROR);
syslog(LOG_ERR, "Wrong username or password from " . $ipaddress);
closelog();
Hope this can be resolved, if the log file does exist and I somehow missed it then I would appreciate some help finding it.
xekon
All 9 comments
I would be very surprised if any web application could write directly to syslog. Things like this are usually handled at the webserver level.
for Apache see
https://httpd.apache.org/docs/2.4/logs.html
You would also need to go to Admin panel -> Settings -> System and set Default Log Level to ERROR.
And it will log things to osTicket's internal syslog like this:
```
log_id;log_type;title;log;logger;ip_address;created;updated
;Error;Excessive login attempts;Excessive login attempts by a user. Username: IP: Time Nov 27, 2020, 3:05 pm UTC Attempts: 5;;;2020-11-27 15:05:14;2020-11-27 15:05:14;```
note: it does not log every single time a user fails to log in.
You also have control over how much is considered excessive for Agents:
Admin panel -> Settings -> Agents
and Users:
Admin panel -> Settings -> Users
ntozier
on 27 Nov 2020
I am a sysadmin, plenty of applications write to the syslog without issue, and I have fail2ban configured for all of them, to list a few: nextcloud, wordpress, freepbx, nagios, gitea, emoncms, ...
In fact most apps can either write to syslog or to some form of error.log, security.log, or application.log etc.
I actually dont care what file the log info is sent to, so long as it is an external file(not only in some database) that fail2ban can monitor.
It also does not need to write to the log file by default, a config option could be set such as
securitylog=true;
xekon
on 27 Nov 2020
@xekon
In the meantime you could write a very simple script to pull the logs from the db and export to a file of your choice.
Cheers.
JediKev
on 27 Nov 2020
@JediKev Thanks for the idea, I would probably just modify the php login page osticket and add this snippet:
$ipaddress = getenv("REMOTE_ADDR");
openlog("phperrors", LOG_PID | LOG_PERROR);
syslog(LOG_ERR, "Wrong username or password from " . $ipaddress);
closelog();
but I appreciate the response. In the meantime I do not have osticket internet facing, it is internal use only because of not being able to use fail2ban.
xekon
on 27 Nov 2020
@ntozier I set settings>system>default log level to ERROR, I next set Agents and Users to agent excessive logins 1 failed login attempts and 1 minutes locked out.
I then try logging in repeatedly with the wrong password while watching both the error and access log:
sudo grc tail -f /var/log/apache2/access.log
sudo grc tail -f /var/log/apache2/error.log
Every time I hit the page with an invalid login I can see a new line in the access log, but invalid login attempts never get sent to either the error or access logs.
xekon
on 27 Nov 2020
Yes, it's possible to log stuff e.g php error log via error_log() but osTicket doesn't do so for any type of errors - so this is not a bug but rather a feature request. I suggest a plugin log-error that would listen to error log signal and do whatever it wants to it e.g log it.
If anyone wants to take a stab at it then I'll be happy to provide some guidance.
Thanks,
protich
on 27 Nov 2020
I would like to try making the plugin. is there an example plugin framework I can get started with?
xekon
on 4 Dec 2020
I maintain a list of resources for osTicket on my web site tmib.net/resources-for-osticket and I have this list cross posted on the forums at https://forum.osticket.com/d/92286-resources-for-osticket. I think that it should go with out saying that there is also a pretty active community at the forums who may be able to assist with direct questions as well.
Here is the Development Resources section of that list.
Repo – Signals Docs – How signals work.
Unofficial Plugin Development Guide – Provides reverse-engineered instructions on how to develop an osTicket plugin.
ntozier
on 4 Dec 2020
Honestly I could not really find any resources to get started with that gave a clear example such as a "Hello World" plugin, something bare bones and easy to understand.
I did however resolve this and have fail2ban working.
sudo nano /var/www/osTicket/scp/login.php
find this line:
$show_reset = true;
below it add these lines:
$ipaddress = getenv("REMOTE_ADDR");
openlog("phperrors", LOG_PID | LOG_PERROR, LOG_SYSLOG);
syslog(LOG_ERR, "Bad Login from " . $ipaddress);
closelog();
now watch your log file while trying to log into admin panel with incorrect password:
sudo tail -f /var/log/apache2/error.log
you will see the output like this:
phperrors[280]: Bad Login from 111.222.33.44
To create a fail2ban jail for this:
sudo nano /etc/fail2ban/filter.d/osticket.conf
[Definition]
failregex = .*Bad Login from <HOST>$
ignoreregex =
sudo nano /etc/fail2ban/jail.local
[osticket]
enabled = true
filter = osticket
action = iptables-allports
logpath = /var/log/apache2/error.log
maxretry = 1
now reboot:
sudo reboot
Congratulations, you are now banning the people trying to brute their way into your admin panel.
xekon
on 6 Dec 2020
Related issues
joseaguardia
·
4Comments
extremesurf
·
3Comments
alansebastian
·
3Comments
simonnzg
·
5Comments
Taps7734
·
5Comments