Core-Admin
Core-Admin
Server admin easy

Blog

Home2017July

Archive for July, 2017

Integrating with Crad-Log-Watcher to block IPs due login failures for your custom web/server app

Posted by on July 7, 2017

[extoc]

In order to integrate your login failures with crad-log-watcher, to have remote IP blocked automatically when some number of login failures are reached, follow the next guide.

Next steps will help you to create a login failure handler that will track and manage login failures for any given application, to block source IP in the case a configurable threshold is reached.

  1. First, you have to make your web or server application to generate a log indication about the IP that is going to be blocked.

    We recommend sending this log to syslog because it is accesible to all system users and requires no special privileges. That will simply next steps. If you decide to send this information to another log, just adapt everything as needed.

    With PHP, generating such log will be:

    // in case of login failure ::
        $remoteAddr = $_SERVER['REMOTE_ADDR'];
        $currentWeb   = $_SERVER['SERVER_NAME'];
        $loginAttempted = // point this variable to the login that was attempted and failed
        syslog (LOG_INFO, "Login failure from [$remoteAddr] access denied to [$currentWeb] with user [$loginAttempted]");

    This will make record a log to syslog everytime a login failure happens.
    This change will be required for every web page or server to be protected.

  2. Now, you have to create a custom handler for crad-log-watcher that reads these logs, keep track about login failures and block IPs reaching a threshold:

    For that, create a file called login_failure_handler.py with the following content (adapt as needed):

    #!/usr/bin/python

from core_admin_common import support
from core_admin_agent  import checker, watcher

# database for tracking login failures
database_path = "/etc/core-admin/client/my.watcher.sql"

def init ():

    # notify this is child for checker notification
    checker.is_child = True

    # track and lock login failures
    (status, info) = watcher.create_track_login_failure_tables (database_path)
    if not status:
        return (False, "Unable to create ip_registry table, error was: %s" % info)

    return (True, None) # return ok init

def handle_line (line, source_log):

    # only process log failures to block
    if "login failure from [" in line.lower () and "access denied to [" in line.lower ():
        
        # assuming log error format:
        # Jul  7 16:15:29 node04-grupodw python: Login failure from [88.99.109.209] access denied to [http://foobar.com] with user [userAccess1]
    
        source_ip_to_block    = line.lower ().split ("login failure from [")[1].split ("]")[0]
        login_failure_because = line.lower ().split ("access denied to [")[1].split ("]")[0]
        user_login            = line.lower ().split ("with user [")[1].split ("]")[0]

        # configure notification
        reason                   = "Access failure to %s" % login_failure_because
        fail_logins_before_block = 10
        
        # call to track user and ip
        watcher.track_and_report_login_failure (user_login, source_ip_to_block, reason, database_path, fail_logins_before_block, source_log)

    # end if
    
    return

  3. Now, place these file into /var/beep/core-admin/client-agent/log-handlers

  4. Now, inside /etc/core-admin/client/log-watcher.d, create a file that links your /var/log/syslog with the handler you have just created. For example, make that file have the following path: /etc/core-admin/client/log-watcher.d/custom-login-failures-blocker

    <log src="/var/log/syslog" handler="login_failure_handler" />
  5. After that, just restart crad-log-watcher to have it loading your login_failure_handler and configuration created with: 
    /etc/init.d/crad-log-watcher restart
  6. Supervise crad-log-watcher execution to ensure everything is working with: 
    # tail -f /var/log/syslog | grep crad-log-watcher

  7. Now, test your development by causing login failures to protected system. You should see logs created at /var/log/syslog.
    If you do not see login failure logs, it will not work. Review your code to ensure these logs are created.

  8. If login failure logs are created, then run the following command just to show if login failure tracking is happening:

    # sqlite3 -column -header /etc/core-admin/client/syslog.watcher.sql "select * from login_failure"

Have any questions? Contact us at support@core-admin.com (https://www.core-admin.com/portal/about-us/contact).

Pin It

Posted in: Blacklist, Firewall, Security

Leave a Comment (0) →

Fixing Dovecot panic mail-index-sync-keywords.c, broken dovecot indexes

Posted by on July 6, 2017

Keyword index

  • Dovecot broken indexes
  • Panic: file mail-index-sync-keywords.c:
  • dovecot_mailbox_broken_indexes

Introduction

If you have problems while accessing to a mailbox and after reviewing logs you find something like:

Jul  4 10:44:22 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record))
Jul  4 10:44:31 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record))
Jul  4 10:45:04 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record))
Jul  4 10:45:23 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record))
Jul  4 10:45:34 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record))
Jul  4 10:46:40 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record))
Jul  4 10:48:45 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record))

Then, one or more dovecot index and/or cache files are broken. This happens due to moving a mailbox from different dovecot versions. It can also happens with
outdated dovecot servers.

Resolution

Core-Admin will detect these errors automatically and will report a: dovecot_mailbox_broken_indexes

Click on it and then click on “Reset dovecot indexes”.

That will clear all dovecot indexes at the destination machine, for the failing mailbox.

If you want to fix it manually, locate mailbox associated to the user and run the following command
(update it accordingly to the user mailbox failing):

>> find /var/spool/dovecot/mail/core-admin.com/someuser  -name 'dovecot*' -type f -delete"

After that, you should have fixed the problem. No dovecot restart required.

Pin It

Posted in: Core-Admin, Dovecot

Leave a Comment (0) →

Get Core-Admin now!

Check out current Core-Admin editions available to see the one that fits your needs!

Get Core-Admin Now!