From 2cb3df77c52abb5239669519b9aae64af023a38e Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Mon, 17 Feb 2020 10:24:32 -0800 Subject: [PATCH] Added basic auth.log support. --- meshcentral.js | 16 ++++++++++++++++ mpsserver.js | 6 +++++- redirserver.js | 7 ++++--- sample-config.json | 1 + webserver.js | 14 ++++++++++++-- 5 files changed, 38 insertions(+), 6 deletions(-) diff --git a/meshcentral.js b/meshcentral.js index 0f6b3798..b063d688 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -861,6 +861,13 @@ function CreateMeshCentralServer(config, args) { obj.StartEx1b = function () { var i; + // Linux format /var/log/auth.log + if (obj.config.settings.authlog != null) { + obj.fs.open(obj.config.settings.authlog, 'a', function (err, fd) { + if (err == null) { obj.authlog = fd; } else { console.log('ERROR: Unable to open: ' + obj.config.settings.authlog); } + }) + } + // Check if self update is allowed. If running as a Windows service, self-update is not possible. if (obj.fs.existsSync(obj.path.join(__dirname, 'daemon'))) { obj.serverSelfWriteAllowed = false; } @@ -2181,6 +2188,15 @@ function CreateMeshCentralServer(config, args) { obj.getServerWarnings = function () { return serverWarnings; } obj.addServerWarning = function(msg, print) { serverWarnings.push(msg); if (print !== false) { console.log("WARNING: " + msg); } } + // auth.log functions + obj.authLog = function(server, msg) { + if (obj.authlog == null) return; + var d = new Date(); + var month = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'][d.getMonth()]; + var msg = month + ' ' + d.getDate() + ' ' + obj.common.zeroPad(d.getHours(),2) + ':' + obj.common.zeroPad(d.getMinutes(),2) + ':' + d.getSeconds() + ' meshcentral ' + server + '[' + process.pid + ']: ' + msg + ((obj.platform == 'win32')?'\r\n':'\n'); + obj.fs.write(obj.authlog, msg, function (err, written, string) { }); + } + // Return the path of a file into the meshcentral-data path obj.getConfigFilePath = function (filename) { if ((obj.config != null) && (obj.config.configfiles != null) && (obj.config.configfiles[filename] != null) && (typeof obj.config.configfiles[filename] == 'string')) { diff --git a/mpsserver.js b/mpsserver.js index eb1bd4a0..22098c19 100644 --- a/mpsserver.js +++ b/mpsserver.js @@ -40,7 +40,11 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) { obj.server.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); }); } - obj.server.listen(args.mpsport, function () { console.log("MeshCentral Intel(R) AMT server running on " + certificates.AmtMpsName + ":" + args.mpsport + ((args.mpsaliasport != null) ? (", alias port " + args.mpsaliasport) : "") + "."); }).on("error", function (err) { console.error("ERROR: MeshCentral Intel(R) AMT server port " + args.mpsport + " is not available."); if (args.exactports) { process.exit(); } }); + obj.server.listen(args.mpsport, function () { + console.log("MeshCentral Intel(R) AMT server running on " + certificates.AmtMpsName + ":" + args.mpsport + ((args.mpsaliasport != null) ? (", alias port " + args.mpsaliasport) : "") + "."); + obj.parent.authLog('mps', 'Server listening on 0.0.0.0 port ' + args.mpsport + '.'); + }).on("error", function (err) { console.error("ERROR: MeshCentral Intel(R) AMT server port " + args.mpsport + " is not available."); if (args.exactports) { process.exit(); } }); + obj.server.on('tlsClientError', function (err, tlssocket) { if (args.mpsdebug) { var remoteAddress = tlssocket.remoteAddress; if (tlssocket.remoteFamily == 'IPv6') { remoteAddress = '[' + remoteAddress + ']'; } console.log('MPS:Invalid TLS connection from ' + remoteAddress + ':' + tlssocket.remotePort + '.'); } }); obj.parent.updateServerState('mps-port', args.mpsport); obj.parent.updateServerState('mps-name', certificates.AmtMpsName); diff --git a/redirserver.js b/redirserver.js index a3a74071..720b5e7e 100644 --- a/redirserver.js +++ b/redirserver.js @@ -127,10 +127,11 @@ module.exports.CreateRedirServer = function (parent, db, args, func) { obj.tcpServer = obj.app.listen(port, function () { obj.port = port; console.log("MeshCentral HTTP redirection server running on port " + port + "."); - obj.parent.updateServerState("redirect-port", port); + obj.parent.authLog('http', 'Server listening on 0.0.0.0 port ' + port + '.'); + obj.parent.updateServerState('redirect-port', port); func(obj.port); - }).on("error", function (err) { - if ((err.code == "EACCES") && (port < 65535)) { StartRedirServer(port + 1); } else { console.log(err); func(obj.port); } + }).on('error', function (err) { + if ((err.code == 'EACCES') && (port < 65535)) { StartRedirServer(port + 1); } else { console.log(err); func(obj.port); } }); } diff --git a/sample-config.json b/sample-config.json index 64ecf26b..916bf494 100644 --- a/sample-config.json +++ b/sample-config.json @@ -37,6 +37,7 @@ "_UserBlockedIP": "127.0.0.1,::1,192.168.0.100", "_AgentAllowedIP": "192.168.0.100/24", "_AgentBlockedIP": "127.0.0.1,::1", + "_AuthLog": "c:\\temp\\auth.log", "_LocalDiscovery": { "name": "Local server name", "info": "Information about this server" diff --git a/webserver.js b/webserver.js index 5d8766c2..ad9a53b1 100644 --- a/webserver.js +++ b/webserver.js @@ -695,6 +695,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if ((req.body.token != null) || (req.body.hwtoken != null)) { randomWaitTime = 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095); // This is a fail, wait a random time. 2 to 6 seconds. req.session.messageid = 108; // Invalid token, try again. + if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed 2FA for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.port); } parent.debug('web', 'handleLoginRequest: invalid 2FA token'); obj.parent.DispatchEvent(['*', 'server-users', 'user/' + domain.id + '/' + user.name], obj, { action: 'authfail', username: user.name, userid: 'user/' + domain.id + '/' + user.name, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + cleanRemoteAddr(req.ip) }); obj.setbadLogin(req); @@ -717,6 +718,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { } // Login successful + if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); } parent.debug('web', 'handleLoginRequest: successful 2FA login'); completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct); } @@ -725,10 +727,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { } // Login successful + if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); } parent.debug('web', 'handleLoginRequest: successful login'); completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct); } else { - // Login failed, wait a random delay + // Login failed, log the error + if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed password for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); } + + // Wait a random delay setTimeout(function () { // If the account is locked, display that. if (typeof xusername == 'string') { @@ -1377,16 +1383,19 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { // Login using SSPI domain.sspi.authenticate(req, res, function (err) { if ((err != null) || (req.connection.user == null)) { + if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed SSPI-auth for ' + req.connection.user + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); } parent.debug('web', 'handleRootRequest: SSPI auth required.'); res.end('Authentication Required...'); } else { + if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted SSPI-auth for ' + req.connection.user + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); } parent.debug('web', 'handleRootRequest: SSPI auth ok.'); handleRootRequestEx(req, res, domain, direct); } }); } else if (req.query.user && req.query.pass) { - // User credentials are being passed in the URL. WARNING: Putting credentials in a URL is not good security... but people are requesting this option. + // User credentials are being passed in the URL. WARNING: Putting credentials in a URL is bad security... but people are requesting this option. obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid) { + if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + req.connection.user + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); } parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.'); req.session.userid = userid; req.session.domainid = domain.id; @@ -3804,6 +3813,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { obj.tcpServer = obj.tlsServer.listen(port, function () { console.log('MeshCentral HTTPS server running on ' + certificates.CommonName + ':' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); }); obj.parent.updateServerState('servername', certificates.CommonName); } + if (obj.parent.authlog) { obj.parent.authLog('https', 'Server listening on 0.0.0.0 port ' + port + '.'); } obj.parent.updateServerState('https-port', port); if (args.aliasport != null) { obj.parent.updateServerState('https-aliasport', args.aliasport); } } else {