Plain text log file with failed login/register attempts

Discussion in 'Ideas' started by Buya, Mar 6, 2018.

Plain text log file with failed login/register attempts 4.8 5 6votes
4.8/5, 6 votes

  1. Buya

    Joined:
    Mar 6, 2018
    Messages:
    13
    Likes Received:
    1
    Hi,

    Would be nice if 3CX could generate a plain text log file containing failed login attempts information.
    For all login types : HTTP logins to the 3CX manager, SIP REGISTER requests etc...

    For example :
    2018-01-12 17:32:45 Failed HTTP login attempt from 34.56.93.143
    2018-01-12 17:32:45 Failed HTTP login attempt from 34.56.93.143
    2018-01-12 17:32:46 Failed HTTP login attempt from 34.56.93.143
    2018-01-12 17:32:47 Failed HTTP login attempt from 34.56.93.143
    2018-01-15 02:41:12 Attack detected from 45.87.178.23
    2018-01-15 02:41:13 Attack detected from 45.87.178.23
    2018-01-17 07:12:34 Failed SIP register attempt from 74.32.59.197
    2018-01-17 07:12:39 Failed SIP register attempt from 74.32.59.197
    2018-01-17 07:12:43 Failed SIP register attempt from 74.32.59.197

    On Linux, we would then be able to use Fail2ban to ban bad IPs, at firewall level.
    Fail2ban would simply be fed with this log file and would automatically ban, based on its configured rules (bantime, findtime, maxretry etc...).
    That would really be perfect.

    3CX dev team, thank you very much for your support !

    Edit : related post : Anti-hacking Module / Blacklist Notifications / LOGS

    Of course feel free to vote (using the stars at the top of this topic) if interested !
     
    #1 Buya, Mar 6, 2018
    Last edited: Mar 8, 2018
    Chris W. likes this.
  2. DocTechAZ

    Joined:
    Nov 17, 2017
    Messages:
    52
    Likes Received:
    15
    or at least get them out via syslog, so we can pipe them to whatever we need to seperately.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Chris W. likes this.
  3. Chris W.

    Joined:
    Dec 28, 2017
    Messages:
    24
    Likes Received:
    2
    Yes, usage of logs would be great where fail2ban could be used, but usage of syslog would be best since it can be directed to standard unix logging server where logs could be processed. :) awesome idea!!! On windows server usage of event logs could be utilized too probably so win users are not left behind I guess :)))
     
    Buya likes this.
  4. Buya

    Joined:
    Mar 6, 2018
    Messages:
    13
    Likes Received:
    1
    Yep syslog would be nice too, as we would then be able to make a syslog rule to redirect 3CX messages to a dedicated log file, and plug Fail2ban to it :)
     
  5. Chris W.

    Joined:
    Dec 28, 2017
    Messages:
    24
    Likes Received:
    2
    Exactly
     
  6. DocTechAZ

    Joined:
    Nov 17, 2017
    Messages:
    52
    Likes Received:
    15
    3cx already uses nginx, and on linux, it would be 1 line of code to have the failed login drop to the builtin syslog daemon on the server. literally 1 line of code.

    3CX disables the nginx logs however, for reasons i cannot fathom, perhaps to save disk and load, but at least give us options to flip them back on.

    3CX, Can we have 1 line of code please? Thanks ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Buya

    Joined:
    Mar 6, 2018
    Messages:
    13
    Likes Received:
    1
    Well, I'm also talking about failed SIP REGISTER requests, I then updated the first post accordingly.
     
    #7 Buya, Mar 8, 2018
    Last edited: Mar 12, 2018
  8. DocTechAZ

    Joined:
    Nov 17, 2017
    Messages:
    52
    Likes Received:
    15
    so 2 lines....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. palmaz

    Joined:
    Aug 22, 2017
    Messages:
    43
    Likes Received:
    13
    +1
     
    Buya likes this.
  10. Silly English Kniggit

    Joined:
    Sep 13, 2017
    Messages:
    220
    Likes Received:
    85
    Fairly sure you could parse at least some this out of the DB, while we wait for 3CX to address issues about logging and monitoring. I know 3CX auto-blocklist gets logged to DB.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Buya

    Joined:
    Mar 6, 2018
    Messages:
    13
    Likes Received:
    1
    Yes but then, if you run this tool on a 5 minutes basis, you give the attacker a 5 minutes window to do whatever he wants...
    A real-time logfile of course is better, well this is why we opened this feature request :)
    Let's hope 3CX will implement it !