Added basic auth.log support.

This commit is contained in:
Ylian Saint-Hilaire 2020-02-17 10:24:32 -08:00
parent 070dd05267
commit 2cb3df77c5
5 changed files with 38 additions and 6 deletions

View File

@ -861,6 +861,13 @@ function CreateMeshCentralServer(config, args) {
obj.StartEx1b = function () { obj.StartEx1b = function () {
var i; var i;
// Linux format /var/log/auth.log
if (obj.config.settings.authlog != null) {
obj.fs.open(obj.config.settings.authlog, 'a', function (err, fd) {
if (err == null) { obj.authlog = fd; } else { console.log('ERROR: Unable to open: ' + obj.config.settings.authlog); }
})
}
// Check if self update is allowed. If running as a Windows service, self-update is not possible. // Check if self update is allowed. If running as a Windows service, self-update is not possible.
if (obj.fs.existsSync(obj.path.join(__dirname, 'daemon'))) { obj.serverSelfWriteAllowed = false; } if (obj.fs.existsSync(obj.path.join(__dirname, 'daemon'))) { obj.serverSelfWriteAllowed = false; }
@ -2181,6 +2188,15 @@ function CreateMeshCentralServer(config, args) {
obj.getServerWarnings = function () { return serverWarnings; } obj.getServerWarnings = function () { return serverWarnings; }
obj.addServerWarning = function(msg, print) { serverWarnings.push(msg); if (print !== false) { console.log("WARNING: " + msg); } } obj.addServerWarning = function(msg, print) { serverWarnings.push(msg); if (print !== false) { console.log("WARNING: " + msg); } }
// auth.log functions
obj.authLog = function(server, msg) {
if (obj.authlog == null) return;
var d = new Date();
var month = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'][d.getMonth()];
var msg = month + ' ' + d.getDate() + ' ' + obj.common.zeroPad(d.getHours(),2) + ':' + obj.common.zeroPad(d.getMinutes(),2) + ':' + d.getSeconds() + ' meshcentral ' + server + '[' + process.pid + ']: ' + msg + ((obj.platform == 'win32')?'\r\n':'\n');
obj.fs.write(obj.authlog, msg, function (err, written, string) { });
}
// Return the path of a file into the meshcentral-data path // Return the path of a file into the meshcentral-data path
obj.getConfigFilePath = function (filename) { obj.getConfigFilePath = function (filename) {
if ((obj.config != null) && (obj.config.configfiles != null) && (obj.config.configfiles[filename] != null) && (typeof obj.config.configfiles[filename] == 'string')) { if ((obj.config != null) && (obj.config.configfiles != null) && (obj.config.configfiles[filename] != null) && (typeof obj.config.configfiles[filename] == 'string')) {

View File

@ -40,7 +40,11 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
obj.server.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); }); obj.server.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); });
} }
obj.server.listen(args.mpsport, function () { console.log("MeshCentral Intel(R) AMT server running on " + certificates.AmtMpsName + ":" + args.mpsport + ((args.mpsaliasport != null) ? (", alias port " + args.mpsaliasport) : "") + "."); }).on("error", function (err) { console.error("ERROR: MeshCentral Intel(R) AMT server port " + args.mpsport + " is not available."); if (args.exactports) { process.exit(); } }); obj.server.listen(args.mpsport, function () {
console.log("MeshCentral Intel(R) AMT server running on " + certificates.AmtMpsName + ":" + args.mpsport + ((args.mpsaliasport != null) ? (", alias port " + args.mpsaliasport) : "") + ".");
obj.parent.authLog('mps', 'Server listening on 0.0.0.0 port ' + args.mpsport + '.');
}).on("error", function (err) { console.error("ERROR: MeshCentral Intel(R) AMT server port " + args.mpsport + " is not available."); if (args.exactports) { process.exit(); } });
obj.server.on('tlsClientError', function (err, tlssocket) { if (args.mpsdebug) { var remoteAddress = tlssocket.remoteAddress; if (tlssocket.remoteFamily == 'IPv6') { remoteAddress = '[' + remoteAddress + ']'; } console.log('MPS:Invalid TLS connection from ' + remoteAddress + ':' + tlssocket.remotePort + '.'); } }); obj.server.on('tlsClientError', function (err, tlssocket) { if (args.mpsdebug) { var remoteAddress = tlssocket.remoteAddress; if (tlssocket.remoteFamily == 'IPv6') { remoteAddress = '[' + remoteAddress + ']'; } console.log('MPS:Invalid TLS connection from ' + remoteAddress + ':' + tlssocket.remotePort + '.'); } });
obj.parent.updateServerState('mps-port', args.mpsport); obj.parent.updateServerState('mps-port', args.mpsport);
obj.parent.updateServerState('mps-name', certificates.AmtMpsName); obj.parent.updateServerState('mps-name', certificates.AmtMpsName);

View File

@ -127,10 +127,11 @@ module.exports.CreateRedirServer = function (parent, db, args, func) {
obj.tcpServer = obj.app.listen(port, function () { obj.tcpServer = obj.app.listen(port, function () {
obj.port = port; obj.port = port;
console.log("MeshCentral HTTP redirection server running on port " + port + "."); console.log("MeshCentral HTTP redirection server running on port " + port + ".");
obj.parent.updateServerState("redirect-port", port); obj.parent.authLog('http', 'Server listening on 0.0.0.0 port ' + port + '.');
obj.parent.updateServerState('redirect-port', port);
func(obj.port); func(obj.port);
}).on("error", function (err) { }).on('error', function (err) {
if ((err.code == "EACCES") && (port < 65535)) { StartRedirServer(port + 1); } else { console.log(err); func(obj.port); } if ((err.code == 'EACCES') && (port < 65535)) { StartRedirServer(port + 1); } else { console.log(err); func(obj.port); }
}); });
} }

View File

@ -37,6 +37,7 @@
"_UserBlockedIP": "127.0.0.1,::1,192.168.0.100", "_UserBlockedIP": "127.0.0.1,::1,192.168.0.100",
"_AgentAllowedIP": "192.168.0.100/24", "_AgentAllowedIP": "192.168.0.100/24",
"_AgentBlockedIP": "127.0.0.1,::1", "_AgentBlockedIP": "127.0.0.1,::1",
"_AuthLog": "c:\\temp\\auth.log",
"_LocalDiscovery": { "_LocalDiscovery": {
"name": "Local server name", "name": "Local server name",
"info": "Information about this server" "info": "Information about this server"

View File

@ -695,6 +695,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if ((req.body.token != null) || (req.body.hwtoken != null)) { if ((req.body.token != null) || (req.body.hwtoken != null)) {
randomWaitTime = 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095); // This is a fail, wait a random time. 2 to 6 seconds. randomWaitTime = 2000 + (obj.crypto.randomBytes(2).readUInt16BE(0) % 4095); // This is a fail, wait a random time. 2 to 6 seconds.
req.session.messageid = 108; // Invalid token, try again. req.session.messageid = 108; // Invalid token, try again.
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed 2FA for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.port); }
parent.debug('web', 'handleLoginRequest: invalid 2FA token'); parent.debug('web', 'handleLoginRequest: invalid 2FA token');
obj.parent.DispatchEvent(['*', 'server-users', 'user/' + domain.id + '/' + user.name], obj, { action: 'authfail', username: user.name, userid: 'user/' + domain.id + '/' + user.name, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + cleanRemoteAddr(req.ip) }); obj.parent.DispatchEvent(['*', 'server-users', 'user/' + domain.id + '/' + user.name], obj, { action: 'authfail', username: user.name, userid: 'user/' + domain.id + '/' + user.name, domain: domain.id, msg: 'User login attempt with incorrect 2nd factor from ' + cleanRemoteAddr(req.ip) });
obj.setbadLogin(req); obj.setbadLogin(req);
@ -717,6 +718,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
} }
// Login successful // Login successful
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleLoginRequest: successful 2FA login'); parent.debug('web', 'handleLoginRequest: successful 2FA login');
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct); completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct);
} }
@ -725,10 +727,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
} }
// Login successful // Login successful
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleLoginRequest: successful login'); parent.debug('web', 'handleLoginRequest: successful login');
completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct); completeLoginRequest(req, res, domain, user, userid, xusername, xpassword, direct);
} else { } else {
// Login failed, wait a random delay // Login failed, log the error
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed password for ' + xusername + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
// Wait a random delay
setTimeout(function () { setTimeout(function () {
// If the account is locked, display that. // If the account is locked, display that.
if (typeof xusername == 'string') { if (typeof xusername == 'string') {
@ -1377,16 +1383,19 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Login using SSPI // Login using SSPI
domain.sspi.authenticate(req, res, function (err) { domain.sspi.authenticate(req, res, function (err) {
if ((err != null) || (req.connection.user == null)) { if ((err != null) || (req.connection.user == null)) {
if (obj.parent.authlog) { obj.parent.authLog('https', 'Failed SSPI-auth for ' + req.connection.user + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleRootRequest: SSPI auth required.'); parent.debug('web', 'handleRootRequest: SSPI auth required.');
res.end('Authentication Required...'); res.end('Authentication Required...');
} else { } else {
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted SSPI-auth for ' + req.connection.user + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleRootRequest: SSPI auth ok.'); parent.debug('web', 'handleRootRequest: SSPI auth ok.');
handleRootRequestEx(req, res, domain, direct); handleRootRequestEx(req, res, domain, direct);
} }
}); });
} else if (req.query.user && req.query.pass) { } else if (req.query.user && req.query.pass) {
// User credentials are being passed in the URL. WARNING: Putting credentials in a URL is not good security... but people are requesting this option. // User credentials are being passed in the URL. WARNING: Putting credentials in a URL is bad security... but people are requesting this option.
obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid) { obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid) {
if (obj.parent.authlog) { obj.parent.authLog('https', 'Accepted password for ' + req.connection.user + ' from ' + cleanRemoteAddr(req.ip) + ' port ' + req.connection.remotePort); }
parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.'); parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.');
req.session.userid = userid; req.session.userid = userid;
req.session.domainid = domain.id; req.session.domainid = domain.id;
@ -3804,6 +3813,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
obj.tcpServer = obj.tlsServer.listen(port, function () { console.log('MeshCentral HTTPS server running on ' + certificates.CommonName + ':' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); }); obj.tcpServer = obj.tlsServer.listen(port, function () { console.log('MeshCentral HTTPS server running on ' + certificates.CommonName + ':' + port + ((args.aliasport != null) ? (', alias port ' + args.aliasport) : '') + '.'); });
obj.parent.updateServerState('servername', certificates.CommonName); obj.parent.updateServerState('servername', certificates.CommonName);
} }
if (obj.parent.authlog) { obj.parent.authLog('https', 'Server listening on 0.0.0.0 port ' + port + '.'); }
obj.parent.updateServerState('https-port', port); obj.parent.updateServerState('https-port', port);
if (args.aliasport != null) { obj.parent.updateServerState('https-aliasport', args.aliasport); } if (args.aliasport != null) { obj.parent.updateServerState('https-aliasport', args.aliasport); }
} else { } else {