Log Failed Logins

projectmyst · August 23, 2020, 12:00am

Hi

I know failed logins get logged on the database, but is there a way to log failed logins to the admin section on a login.log? The reason for this is because I want to setup a rule for fail2ban. I'm just looking for some things like:

failed to login user test@test.com from 192.168.1.1

any help would be appreciated.

johnbol1 · August 23, 2020, 12:00am

https://prnt.sc/u4ku55

admin>logs

no good ??

tbirnseth · August 24, 2020, 12:00am

Admin home page as "Recent Activity" block in lower right that is a list of the most recent logs. You could always write an addon that would get just the failed login entiries. But suggest you work with something like the advanced log search for:

Period = this week

Type = users

Action = Failed logins

Which would come out something like the following.

https://your_host.com/your_admin_url.php?object=&is_search=Y&period=W&time_from=08%2F24%2F2020&time_to=08%2F24%2F2020&q_user=&q_type=users&q_action=failed_login&hint_new_view=Name&dispatch%5Blogs.manage%5D=Search

You can get rid of the time period and probaby add an '&items_per_page=10' to just get the most recent 10 entries of that type.

All UNTESTED

projectmyst · August 27, 2020, 12:00am

Thanks guys, but the problem is that as far as I'm aware fail2ban can only query .log files, I don't think you can setup fail2ban filters using database.

projectmyst · August 27, 2020, 12:00am

I got us far as this, but I can't get failed to work. Can anyone help me with it?

use Tygh\Registry;
if (!defined(‘BOOTSTRAP’)) { die(‘Access denied’); }
if (AREA == ‘A’ && $mode == ‘login_form’) {

if ($mode == ‘login’) {

$login = “SUCCESS”;

} elseif ($action == ‘failed_login’) {

$login = “FAILED”;

}
if (!empty(Tygh::$app['session']['auth']['user_id'])) {
    $user_id = Tygh::$app['session']['auth']['user_id'];
} else {
    $user_id = 0;
}

$ip = fn_get_ip();

function fn_my_changes_failed_logins($log_msg) {
    $log_filename = "./var/log";
    if (!file_exists($log_filename)) 
    {
        mkdir($log_filename, 0777, true);
    }
    $log_file_data = $log_filename.'/failed_login.log';
    file_put_contents($log_file_data, $log_msg . "\n", FILE_APPEND);
}

fn_my_changes_failed_logins('[' . date('d-M-Y H:i:s') . ']' . ' ' . $login . ' ' . 'login for user' . ' ' . $user_id . ' ' . 'from' . ' ' . $ip['host']);

}

tbirnseth · August 27, 2020, 12:00am

I would use the "fill_auth" PHP hook. You can review the code for the appropriate conditions/logic (fill_auth() in fn.users.php). Note that if $user_data is empty, then it's a logout. Also check that $act_as_user is false.

You should use 'fn_mkdir()' which will set the mode as configured for the site rather than forcing it to 777. It will also handle whether the directory already exists as a directory. And note that the file could have been removed but the directory still exists..