Ilya
February 6, 2015, 2:32pm
1
If I want block bruteforce attack I usually use fail2ban.
cat /opt/openfire/logs/info.log:
…
2015.02.06 13:33:08 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: green.bus
…
But no IP address! Nothing to ban!
As I can see from Enable fail2ban to monitor openfire login logs. there is “fix” to change log content:
Then I’ve modified org.jivesoftware.openfire.net.SASLAuthentication ,
before
Line 288
Log.info("User Login Failed. " + e.getMessage());
after
Log.info("User Login Failed. " + e.getMessage() + " " + session.getHostAddress());
//add try/catch around this line, because getHostAddress() might throw an exception
This will provide us with everything fail2ban needs - an IP address and the time
2012.04.13 15:40:44 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: test@192.168.253.5 IP: 192.168.253.10
But I don’t understand how to change property org.jivesoftware.openfire.net.SASLAuthentication ! Where is this property must be changed/placed?
Could you help me!
wroot
February 7, 2015, 1:20pm
2
It is not an option, it is the actual source code of the server which is in that example. If you want to follow this, you have to download server’s source code, alter it and compile your own version of the server.
Ilya
February 12, 2015, 7:49am
3
Sorry for delay with answer…
It is very unuseful and very strange because of security of the service available over public internet must be important
Thank you!
wroot
February 12, 2015, 9:19am
4
I’m not saying is this bad or good, just explaining the situation. If you will provide a final patch (in diff format), it will be filed in bug tracker system and then one of the developers will evaluate this (maybe). Though some users (admins) might not want to register IP addresses because of their users privacy concerns. So maybe this should be optional.
Ilya
February 27, 2015, 9:36am
5
Ok, second variant:
/opt/openfire/lib/log4j.xml define log format.
For example:
Note string %d{yyyy.MM.dd HH:mm:ss} %c - %m%n :
2015.02.27 09:09:55 org.jivesoftware.admin.LoginLimitManager - Failed admin console login attempt by admin from 192.168.2.111
%m%n ->
Failed admin console login attempt by admin from 192.168.2.111
May be there are another options exept %m and %n ?
Or this is only method to see, but not catch events?
Added:
There is another log options file: /opt/openfire/jre/lib/logging.properties
(by the way, executable! -rwxr-xr-x )
But I don’t know if there is wrong way to solve my queston…
Added 2:
May it be possible to compile only one module and replace it on working server or not? If yes, could you explain me how? I never compile from sources…
wroot
February 27, 2015, 1:03pm
6
I’m not a developer myself, can’t help with compiling.