mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-08-15 19:50:44 +03:00
Added basic auth.log support.
This commit is contained in:
Ylian Saint-Hilaire
parent
070dd05267
commit
2cb3df77c5
@ -861,6 +861,13 @@ function CreateMeshCentralServer(config, args) {
|
||||
obj.StartEx1b = function () {
|
||||
var i;
|
||||
|
||||
// Linux format /var/log/auth.log
|
||||
if (obj.config.settings.authlog != null) {
|
||||
obj.fs.open(obj.config.settings.authlog, 'a', function (err, fd) {
|
||||
if (err == null) { obj.authlog = fd; } else { console.log('ERROR: Unable to open: ' + obj.config.settings.authlog); }
|
||||
})
|
||||
}
|
||||
|
||||
// Check if self update is allowed. If running as a Windows service, self-update is not possible.
|
||||
if (obj.fs.existsSync(obj.path.join(__dirname, 'daemon'))) { obj.serverSelfWriteAllowed = false; }
|
||||
|
||||
@ -2181,6 +2188,15 @@ function CreateMeshCentralServer(config, args) {
|
||||
obj.getServerWarnings = function () { return serverWarnings; }
|
||||
obj.addServerWarning = function(msg, print) { serverWarnings.push(msg); if (print !== false) { console.log("WARNING: " + msg); } }
|
||||
|
||||
// auth.log functions
|
||||
obj.authLog = function(server, msg) {
|
||||
if (obj.authlog == null) return;
|
||||
var d = new Date();
|
||||
var month = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'][d.getMonth()];
|
||||
var msg = month + ' ' + d.getDate() + ' ' + obj.common.zeroPad(d.getHours(),2) + ':' + obj.common.zeroPad(d.getMinutes(),2) + ':' + d.getSeconds() + ' meshcentral ' + server + '[' + process.pid + ']: ' + msg + ((obj.platform == 'win32')?'\r\n':'\n');
|
||||
obj.fs.write(obj.authlog, msg, function (err, written, string) { });
|
||||
}
|
||||
|
||||
// Return the path of a file into the meshcentral-data path
|
||||
obj.getConfigFilePath = function (filename) {
|
||||
if ((obj.config != null) && (obj.config.configfiles != null) && (obj.config.configfiles[filename] != null) && (typeof obj.config.configfiles[filename] == 'string')) {
|
||||
|
||||
@ -40,7 +40,11 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
|
||||
obj.server.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); });
|
||||
}
|
||||
|
||||
obj.server.listen(args.mpsport, function () { console.log("MeshCentral Intel(R) AMT server running on " + certificates.AmtMpsName + ":" + args.mpsport + ((args.mpsaliasport != null) ? (", alias port " + args.mpsaliasport) : "") + "."); }).on("error", function (err) { console.error("ERROR: MeshCentral Intel(R) AMT server port " + args.mpsport + " is not available."); if (args.exactports) { process.exit(); } });
|
||||
obj.server.listen(args.mpsport, function () {
|
||||
console.log("MeshCentral Intel(R) AMT server running on " + certificates.AmtMpsName + ":" + args.mpsport + ((args.mpsaliasport != null) ? (", alias port " + args.mpsaliasport) : "") + ".");
|
||||
obj.parent.authLog('mps', 'Server listening on 0.0.0.0 port ' + args.mpsport + '.');
|
||||
}).on("error", function (err) { console.error("ERROR: MeshCentral Intel(R) AMT server port " + args.mpsport + " is not available."); if (args.exactports) { process.exit(); } });
|
||||
|
||||
obj.server.on('tlsClientError', function (err, tlssocket) { if (args.mpsdebug) { var remoteAddress = tlssocket.remoteAddress; if (tlssocket.remoteFamily == 'IPv6') { remoteAddress = '[' + remoteAddress + ']'; } console.log('MPS:Invalid TLS connection from ' + remoteAddress + ':' + tlssocket.remotePort + '.'); } });
|
||||
obj.parent.updateServerState('mps-port', args.mpsport);
|
||||
obj.parent.updateServerState('mps-name', certificates.AmtMpsName);
|
||||
|
||||
@ -127,10 +127,11 @@ module.exports.CreateRedirServer = function (parent, db, args, func) {
|
||||
obj.tcpServer = obj.app.listen(port, function () {
|
||||
obj.port = port;
|
||||
console.log("MeshCentral HTTP redirection server running on port " + port + ".");
|
||||
obj.parent.updateServerState("redirect-port", port);
|
||||
obj.parent.authLog('http', 'Server listening on 0.0.0.0 port ' + port + '.');
|
||||
obj.parent.updateServerState('redirect-port', port);
|
||||
func(obj.port);
|
||||
}).on("error", function (err) {
|
||||
if ((err.code == "EACCES") && (port < 65535)) { StartRedirServer(port + 1); } else { console.log(err); func(obj.port); }
|
||||
}).on('error', function (err) {
|
||||
if ((err.code == 'EACCES') && (port < 65535)) { StartRedirServer(port + 1); } else { console.log(err); func(obj.port); }
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@ -37,6 +37,7 @@
|
||||
"_UserBlockedIP": "127.0.0.1,::1,192.168.0.100",
|
||||
"_AgentAllowedIP": "192.168.0.100/24",
|
||||
"_AgentBlockedIP": "127.0.0.1,::1",
|
||||
"_AuthLog": "c:\\temp\\auth.log",
|
||||
"_LocalDiscovery": {
|
||||
"name": "Local server name",
|
||||
"info": "Information about this server"
|
||||
|
||||
14
webserver.js
14
webserver.js
@ -695,6 +695,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
if ((req.body.token != null) || (req.body.hwtoken != null)) {
|
||||
randomWaitTime = 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095); // This is a fail, wait a random time. 2 to 6 seconds.
|
||||
req.session.messageid = 108; // Invalid token, try again.
|
||||
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed 2FA for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.port); }
|
||||
parent.debug('web', 'handleLoginRequest: invalid 2FA token');
|
||||
obj.parent.DispatchEvent(['*', 'server-users', 'user/' + domain.id + '/' + user.name], obj, { action: 'authfail', username: user.name, userid: 'user/' + domain.id + '/' + user.name, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + cleanRemoteAddr(req.ip) });
|
||||
obj.setbadLogin(req);
|
||||
@ -717,6 +718,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
}
|
||||
|
||||
// Login successful
|
||||
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
|
||||
parent.debug('web', 'handleLoginRequest: successful 2FA login');
|
||||
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct);
|
||||
}
|
||||
@ -725,10 +727,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
}
|
||||
|
||||
// Login successful
|
||||
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
|
||||
parent.debug('web', 'handleLoginRequest: successful login');
|
||||
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct);
|
||||
} else {
|
||||
// Login failed, wait a random delay
|
||||
// Login failed, log the error
|
||||
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed password for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
|
||||
|
||||
// Wait a random delay
|
||||
setTimeout(function () {
|
||||
// If the account is locked, display that.
|
||||
if (typeof xusername == 'string') {
|
||||
@ -1377,16 +1383,19 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
// Login using SSPI
|
||||
domain.sspi.authenticate(req, res, function (err) {
|
||||
if ((err != null) || (req.connection.user == null)) {
|
||||
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed SSPI-auth for ' + req.connection.user + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
|
||||
parent.debug('web', 'handleRootRequest: SSPI auth required.');
|
||||
res.end('Authentication Required...');
|
||||
} else {
|
||||
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted SSPI-auth for ' + req.connection.user + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
|
||||
parent.debug('web', 'handleRootRequest: SSPI auth ok.');
|
||||
handleRootRequestEx(req, res, domain, direct);
|
||||
}
|
||||
});
|
||||
} else if (req.query.user && req.query.pass) {
|
||||
// User credentials are being passed in the URL. WARNING: Putting credentials in a URL is not good security... but people are requesting this option.
|
||||
// User credentials are being passed in the URL. WARNING: Putting credentials in a URL is bad security... but people are requesting this option.
|
||||
obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid) {
|
||||
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + req.connection.user + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
|
||||
parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.');
|
||||
req.session.userid = userid;
|
||||
req.session.domainid = domain.id;
|
||||
@ -3804,6 +3813,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
obj.tcpServer = obj.tlsServer.listen(port, function () { console.log('MeshCentral HTTPS server running on ' + certificates.CommonName + ':' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
|
||||
obj.parent.updateServerState('servername', certificates.CommonName);
|
||||
}
|
||||
if (obj.parent.authlog) { obj.parent.authLog('https', 'Server listening on 0.0.0.0 port ' + port + '.'); }
|
||||
obj.parent.updateServerState('https-port', port);
|
||||
if (args.aliasport != null) { obj.parent.updateServerState('https-aliasport', args.aliasport); }
|
||||
} else {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user