1 (edited by vmos 2013-09-02 22:13:24)

Topic: can iredadmin record username in apache log? or throw up a captcha?

==== Required information ====
- iRedMail version:  .85
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  mysql
- Linux/BSD distribution name and version: ubuntu 13.04
- Related log if you're reporting an issue:
====

I'm looking for a way to prevent brute force attacks on the iredadmin login. Personally I'm all for fail2ban and ip blocking, but I've been asked to look at a less heavy handed approach.

Is there any way to get iredadmin to throw up a captcha after a number of failed login attempts? Something like the rcguard plugin for roundcube.

I was also thinking of rolling my own using fail2ban or using ip banning with fail2ban with stricter requirements for admins and global admins and being lenient with regular users.

However, doing this would depend on logging the username (like roundcube)

If I get a failed login, then i get something like this in the apache logs

1.1.1.1 - - [02/Sep/2013:14:51:48 +0100] "GET /iredadmin/login?msg=INVALID_USERNAME HTTP/1.1" 200 1700 "[url]https://mail.mydomain.net/iredadmin/login[/url]" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0"

Is it possible to get the username in the apache log?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: can iredadmin record username in apache log? or throw up a captcha?

iRedAdmin logs the username in SQL database "iredadmin.log", is it enough for you?

Apache logs message like this if user entered incorrect username/password:

172.16.244.1 - - [03/Sep/2013:07:17:42 +0800] "GET /iredadmin/login?msg=INVALID_CREDENTIALS HTTP/1.1" 200 5023

INVALID_CREDENTIALS means incorrect username OR password. Is it enough for you to setup Fail2ban to ban the IP?

3

Re: can iredadmin record username in apache log? or throw up a captcha?

Well, with that I can use fail2ban to ban by IP, which isn't my preferred option but it would do the job. I just wanted to see if there was an easy way to implement an alternative.

On a related note, is there a way to restrict logins by global admins? I only want global admins to be able to login from a couple of IPs.

4

Re: can iredadmin record username in apache log? or throw up a captcha?

vmos wrote:

Well, with that I can use fail2ban to ban by IP, which isn't my preferred option but it would do the job. I just wanted to see if there was an easy way to implement an alternative.

Let me show you how to modify iRedAdmin source code to achieve your goal. You didn't mention iRedAdmin-Pro, so i guess you're running iRedAdmin open source edition.

- Open file controllers/mysql/basic.py, find below line:

class Login:
    …

    def POST(self):
        …
        else:                                                                   
            session['failedTimes'] += 1                                         
            web.logger(msg="Login failed.", admin=username, event='login', loglevel='error',)
            raise web.seeother('/login?msg=%s' % web.urlquote(auth_result[1]))

You can see the last line "raise …", just append username in it, modified line is:

raise web.seeother('/login?msg=%s&username=%s' % (web.urlquote(auth_result[1]), username))

By the way, it works for both iRedAdmin open source edition and iRedAdmin-Pro, for all backends.

vmos wrote:

On a related note, is there a way to restrict logins by global admins? I only want global admins to be able to login from a couple of IPs.

*) Why just global admins? How about don't mark mail user as domain admin, then you have only global admins.
*) To restrict IP address, control with Apache instead. Something like this:

Order deny,allow
Deny from all
Allow from xx.xx.xx.xx

5

Re: can iredadmin record username in apache log? or throw up a captcha?

Well, we plan on having only one global admin and want to restrict it so that user can only login from our office, but at the same time we have to give certain users control over their own domains (we're migrating from an existing platform that already has this feature)
We're using iredadmin-pro, but I'll try that code modification you suggested thanks.

Unfortunately we can't use .htaccess as we're using nginx (only myself to blame for that I guess)

6

Re: can iredadmin record username in apache log? or throw up a captcha?

oh, your suggestion works on apache but not nginx, shouldn't take much figuring out though

7

Re: can iredadmin record username in apache log? or throw up a captcha?

vmos wrote:

oh, your suggestion works on apache but not nginx, shouldn't take much figuring out though

What do you mean not work on Nginx? What did you do? Modified config files?