In order to integrate your login failures with crad-log-watcher, to have remote IP blocked automatically when some number of login failures are reached, follow the next guide.
Next steps will help you to create a login failure handler that will track and manage login failures for any given application, to block source IP in the case a configurable threshold is reached.
First, you have to make your web or server application to generate a log indication about the IP that is going to be blocked.
We recommend sending this log to syslog because it is accesible to all system users and requires no special privileges. That will simply next steps. If you decide to send this information to another log, just adapt everything as needed.
With PHP, generating such log will be:
// in case of login failure :: $remoteAddr = $_SERVER['REMOTE_ADDR']; $currentWeb = $_SERVER['SERVER_NAME']; $loginAttempted = // point this variable to the login that was attempted and failed syslog (LOG_INFO, "Login failure from [$remoteAddr] access denied to [$currentWeb] with user [$loginAttempted]");
This will make record a log to syslog everytime a login failure happens.
This change will be required for every web page or server to be protected.
Now, you have to create a custom handler for crad-log-watcher that reads these logs, keep track about login failures and block IPs reaching a threshold:
For that, create a file called login_failure_handler.py with the following content (adapt as needed):
#!/usr/bin/python from core_admin_common import support from core_admin_agent import checker, watcher # database for tracking login failures database_path = "/etc/core-admin/client/my.watcher.sql" def init (): # notify this is child for checker notification checker.is_child = True # track and lock login failures (status, info) = watcher.create_track_login_failure_tables (database_path) if not status: return (False, "Unable to create ip_registry table, error was: %s" % info) return (True, None) # return ok init def handle_line (line, source_log): # only process log failures to block if "login failure from [" in line.lower () and "access denied to [" in line.lower (): # assuming log error format: # Jul 7 16:15:29 node04-grupodw python: Login failure from [126.96.36.199] access denied to [http://foobar.com] with user [userAccess1] source_ip_to_block = line.lower ().split ("login failure from [").split ("]") login_failure_because = line.lower ().split ("access denied to [").split ("]") user_login = line.lower ().split ("with user [").split ("]") # configure notification reason = "Access failure to %s" % login_failure_because fail_logins_before_block = 10 # call to track user and ip watcher.track_and_report_login_failure (user_login, source_ip_to_block, reason, database_path, fail_logins_before_block, source_log) # end if return
Now, place these file into /var/beep/core-admin/client-agent/log-handlers
Now, inside /etc/core-admin/client/log-watcher.d, create a file that links your /var/log/syslog with the handler you have just created. For example, make that file have the following path: /etc/core-admin/client/log-watcher.d/custom-login-failures-blocker
<log src="/var/log/syslog" handler="login_failure_handler" />
- After that, just restart crad-log-watcher to have it loading your login_failure_handler and configuration created with:
- Supervise crad-log-watcher execution to ensure everything is working with:
# tail -f /var/log/syslog | grep crad-log-watcher
Now, test your development by causing login failures to protected system. You should see logs created at /var/log/syslog.
If you do not see login failure logs, it will not work. Review your code to ensure these logs are created.
If login failure logs are created, then run the following command just to show if login failure tracking is happening:
# sqlite3 -column -header /etc/core-admin/client/syslog.watcher.sql "select * from login_failure"
Have any questions? Contact us at email@example.com (https://www.core-admin.com/portal/about-us/contact).