Privacyidea logs

Hi Sam,

there are at least 3 possibilities:

  1. privacyidea.log

You can try to use the privacyidea.log. But the log entries are very
atomic and it might be difficult to parse.

E.g. if a user does not exist, you will see such an entry:

[2016-01-11
12:51:40,630][24182][140611935631104][DEBUG][privacyidea.lib.user:200]
user u’hans’ not found in resolver u’themis2’

But this entry can occur in many different cases - not only during
authentication. But also if the administrator would choose a
non-existing user for - lets say - enrolling a token to.

  1. privacyidea.log

We could try to add a corresponding log entry for authentication.
Authentication has three different possible results:

  1. Authentication succeeds

  2. Authentication fails, but user exists

  3. User does not exist.

  4. Audit

You can however create your own audit module.
Derive from this Audit Base Class
http://privacyidea.readthedocs.org/en/latest/modules/audit.html?highlight=audit#base-class

and reference this module in the pi.cfg file


like

PI_AUDIT_MODULE = my.own.auditmodule

But still there is one thing:

The IP-Address will always be the IP Address of the ownCloud server -
unless the clientIP is overwritten.
This is possible in the authentication request by adding a parameter
client=1.2.3.4.

In the system settings you can define IP addresses, that are allowed to
overwrite the client IP address.
This is already implemented in the FreeRADIUS module

But not in the ownCloud plugin.
We would have to add the client IP address to the
checkOTP function.
https://github.com/privacyidea/privacyidea/blob/master/authmodules/ownCloud/user_privacyidea/lib/otp_privacyidea.php#L202

Kind regards
CorneliusAm Montag, den 11.01.2016, 02:24 -0800 schrieb Sam Marsh:

Hi all,

I currently use fail2ban to block IP’s when they have made 5 failed
login attempts to my owncloud server. This is logged in owncloud.log
as:

    {"reqId":"VpN3U38AAQEAAGQShmoAAAAg","remoteAddr":"134.225.22.22","app":"core","message":"Login failed: 'hacker' (Remote IP: '134.225.22.22')","level":2,"time":"January 11, 2016 09:35:15"}

However since moving to use privacyidea as the authentication module,
nothing is being logged in owncloud.log for failed login attempts
(thus rendering fail2ban useless).

From what I can read, the audit log is stored in SQL - and this does
show some information around the failed login attempts:

    'ERR905: The user can not be found in any resolver '
    'None'
    'owncloud'
    '0'
    '192.168.100.173'
    'OK'
    '741'
    '192.168.100.1'
    'None'
    'POST /validate/check'
    'OK'
    'hacker'
    'None'
    ''
    '2016-01-10T20:50:52'
    'None'
    'None'

There are two problems here, for my scenario:

  1. Its not in a syslog/log file, so i cant use fail2ban on it
  2. It doesnt contain the source IP (i think I can sort this as its an
    issue with my iptables NAT rules not preserving the source IP, instead
    it contains the virtual bridge IP address for the KVM subnet).

tl;dr - Is there a way i can direct privacyidea to output failed login
attempts to a syslog so i can regexp on it?

Best,
Sam

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/cd3b2103-dbee-41f1-be09-fdad6434f357%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Cornelius,

Ah - yes im struggling with the source at the moment. Im hoping I can find
a way to get the remoteIP logged and the username via the owncloud module
now, instead of getting it via privacyidea, as a cheats way of solving the
problem :slight_smile:

Best
SamOn Monday, January 11, 2016 at 12:04:08 PM UTC, Cornelius Kölbel wrote:

Hi Sam,

there are at least 3 possibilities:

  1. privacyidea.log

You can try to use the privacyidea.log. But the log entries are very
atomic and it might be difficult to parse.

E.g. if a user does not exist, you will see such an entry:

[2016-01-11
12:51:40,630][24182][140611935631104][DEBUG][privacyidea.lib.user:200]
user u’hans’ not found in resolver u’themis2’

But this entry can occur in many different cases - not only during
authentication. But also if the administrator would choose a
non-existing user for - lets say - enrolling a token to.

  1. privacyidea.log

We could try to add a corresponding log entry for authentication.
Authentication has three different possible results:

  1. Authentication succeeds

  2. Authentication fails, but user exists

  3. User does not exist.

  4. Audit

You can however create your own audit module.
Derive from this Audit Base Class

http://privacyidea.readthedocs.org/en/latest/modules/audit.html?highlight=audit#base-class

and reference this module in the pi.cfg file

https://github.com/privacyidea/privacyidea/blob/b0d6fe7fd084c4164630689d885b64f28f3bd5dd/privacyidea/lib/audit.py#L86
like

    PI_AUDIT_MODULE = my.own.auditmodule 

But still there is one thing:

The IP-Address will always be the IP Address of the ownCloud server -
unless the clientIP is overwritten.
This is possible in the authentication request by adding a parameter
client=1.2.3.4.

In the system settings you can define IP addresses, that are allowed to
overwrite the client IP address.
This is already implemented in the FreeRADIUS module

https://github.com/privacyidea/FreeRADIUS/blob/master/privacyidea_radius.pm#L285

But not in the ownCloud plugin.
We would have to add the client IP address to the
checkOTP function.

https://github.com/privacyidea/privacyidea/blob/master/authmodules/ownCloud/user_privacyidea/lib/otp_privacyidea.php#L202

Kind regards
Cornelius

Am Montag, den 11.01.2016, 02:24 -0800 schrieb Sam Marsh:

Hi all,

I currently use fail2ban to block IP’s when they have made 5 failed
login attempts to my owncloud server. This is logged in owncloud.log
as:

{“reqId”:“VpN3U38AAQEAAGQShmoAAAAg”,“remoteAddr”:“134.225.22.22”,“app”:“core”,“message”:“Login
failed: ‘hacker’ (Remote IP: ‘134.225.22.22’)”,“level”:2,“time”:“January
11, 2016 09:35:15”}

However since moving to use privacyidea as the authentication module,
nothing is being logged in owncloud.log for failed login attempts
(thus rendering fail2ban useless).

From what I can read, the audit log is stored in SQL - and this does
show some information around the failed login attempts:

    'ERR905: The user can not be found in any resolver ' 
    'None' 
    'owncloud' 
    '0' 
    '192.168.100.173' 
    'OK' 
    '741' 
    '192.168.100.1' 
    'None' 
    'POST /validate/check' 
    'OK' 
    'hacker' 
    'None' 
    '' 
    '2016-01-10T20:50:52' 
    'None' 
    'None' 

There are two problems here, for my scenario:

  1. Its not in a syslog/log file, so i cant use fail2ban on it
  2. It doesnt contain the source IP (i think I can sort this as its an
    issue with my iptables NAT rules not preserving the source IP, instead
    it contains the virtual bridge IP address for the KVM subnet).

tl;dr - Is there a way i can direct privacyidea to output failed login
attempts to a syslog so i can regexp on it?

Best,
Sam

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/cd3b2103-dbee-41f1-be09-fdad6434f357%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel