Hi Sam,
there are at least 3 possibilities:
- privacyidea.log
You can try to use the privacyidea.log. But the log entries are very
atomic and it might be difficult to parse.
E.g. if a user does not exist, you will see such an entry:
[2016-01-11
12:51:40,630][24182][140611935631104][DEBUG][privacyidea.lib.user:200]
user u’hans’ not found in resolver u’themis2’
But this entry can occur in many different cases - not only during
authentication. But also if the administrator would choose a
non-existing user for - lets say - enrolling a token to.
- privacyidea.log
We could try to add a corresponding log entry for authentication.
Authentication has three different possible results:
-
Authentication succeeds
-
Authentication fails, but user exists
-
User does not exist.
-
Audit
You can however create your own audit module.
Derive from this Audit Base Class
http://privacyidea.readthedocs.org/en/latest/modules/audit.html?highlight=audit#base-class
and reference this module in the pi.cfg file
like
PI_AUDIT_MODULE = my.own.auditmodule
But still there is one thing:
The IP-Address will always be the IP Address of the ownCloud server -
unless the clientIP is overwritten.
This is possible in the authentication request by adding a parameter
client=1.2.3.4.
In the system settings you can define IP addresses, that are allowed to
overwrite the client IP address.
This is already implemented in the FreeRADIUS module
But not in the ownCloud plugin.
We would have to add the client IP address to the
checkOTP function.
https://github.com/privacyidea/privacyidea/blob/master/authmodules/ownCloud/user_privacyidea/lib/otp_privacyidea.php#L202
Kind regards
CorneliusAm Montag, den 11.01.2016, 02:24 -0800 schrieb Sam Marsh:
Hi all,
I currently use fail2ban to block IP’s when they have made 5 failed
login attempts to my owncloud server. This is logged in owncloud.log
as:{"reqId":"VpN3U38AAQEAAGQShmoAAAAg","remoteAddr":"134.225.22.22","app":"core","message":"Login failed: 'hacker' (Remote IP: '134.225.22.22')","level":2,"time":"January 11, 2016 09:35:15"}
However since moving to use privacyidea as the authentication module,
nothing is being logged in owncloud.log for failed login attempts
(thus rendering fail2ban useless).From what I can read, the audit log is stored in SQL - and this does
show some information around the failed login attempts:'ERR905: The user can not be found in any resolver ' 'None' 'owncloud' '0' '192.168.100.173' 'OK' '741' '192.168.100.1' 'None' 'POST /validate/check' 'OK' 'hacker' 'None' '' '2016-01-10T20:50:52' 'None' 'None'
There are two problems here, for my scenario:
- Its not in a syslog/log file, so i cant use fail2ban on it
- It doesnt contain the source IP (i think I can sort this as its an
issue with my iptables NAT rules not preserving the source IP, instead
it contains the virtual bridge IP address for the KVM subnet).tl;dr - Is there a way i can direct privacyidea to output failed login
attempts to a syslog so i can regexp on it?Best,
SamYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/cd3b2103-dbee-41f1-be09-fdad6434f357%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel