From f78394f2320d8d9d9efb3ea7da3dc740de1ef1e3 Mon Sep 17 00:00:00 2001 From: Wilfried Goesgens Date: Sun, 22 Apr 2012 10:33:53 +0200 Subject: [PATCH] Logging: add details to failed password attempts to make it fail2ban more easy to block ports for dictionary attacks. --- citadel/context.h | 1 + citadel/sysdep.c | 1 + citadel/user_ops.c | 38 ++++++++++++++++++++++++-------------- 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/citadel/context.h b/citadel/context.h index 5e9d998ac..c25780360 100644 --- a/citadel/context.h +++ b/citadel/context.h @@ -129,6 +129,7 @@ struct CitContext { struct cit_ical *CIT_ICAL; /* calendaring data */ struct ma_info *ma; /* multipart/alternative data */ const char *ServiceName; /* readable purpose of this session */ + long tcp_port; void *openid_data; /* Data stored by the OpenID module */ char *ldap_dn; /* DN of user when using AUTHMODE_LDAP */ diff --git a/citadel/sysdep.c b/citadel/sysdep.c index 2b83270c0..422370772 100644 --- a/citadel/sysdep.c +++ b/citadel/sysdep.c @@ -1271,6 +1271,7 @@ do_select: force_purge = 0; con = CreateNewContext(); /* Assign our new socket number to it. */ + con->tcp_port = serviceptr->tcp_port; con->client_socket = ssock; con->h_command_function = serviceptr->h_command_function; con->h_async_function = serviceptr->h_async_function; diff --git a/citadel/user_ops.c b/citadel/user_ops.c index 29b6f621f..37cbfcd64 100644 --- a/citadel/user_ops.c +++ b/citadel/user_ops.c @@ -934,16 +934,17 @@ void start_chkpwd_daemon(void) { int CtdlTryPassword(const char *password, long len) { int code; + CitContext *CCC = CC; - if ((CC->logged_in)) { + if ((CCC->logged_in)) { syslog(LOG_WARNING, "CtdlTryPassword: already logged in\n"); return pass_already_logged_in; } - if (!strcmp(CC->curr_user, NLI)) { + if (!strcmp(CCC->curr_user, NLI)) { syslog(LOG_WARNING, "CtdlTryPassword: no user selected\n"); return pass_no_user; } - if (CtdlGetUser(&CC->user, CC->curr_user)) { + if (CtdlGetUser(&CCC->user, CCC->curr_user)) { syslog(LOG_ERR, "CtdlTryPassword: internal error\n"); return pass_internal_error; } @@ -953,7 +954,7 @@ int CtdlTryPassword(const char *password, long len) } code = (-1); - if (CC->is_master) { + if (CCC->is_master) { code = strcmp(password, config.c_master_pass); } @@ -961,7 +962,7 @@ int CtdlTryPassword(const char *password, long len) /* host auth mode */ - if (validpw(CC->user.uid, password)) { + if (validpw(CCC->user.uid, password)) { code = 0; /* @@ -972,9 +973,9 @@ int CtdlTryPassword(const char *password, long len) * this is a security hazard, comment it out. */ - CtdlGetUserLock(&CC->user, CC->curr_user); - safestrncpy(CC->user.password, password, sizeof CC->user.password); - CtdlPutUserLock(&CC->user); + CtdlGetUserLock(&CCC->user, CCC->curr_user); + safestrncpy(CCC->user.password, password, sizeof CCC->user.password); + CtdlPutUserLock(&CCC->user); /* * (sooper-seekrit hack ends here) @@ -991,7 +992,7 @@ int CtdlTryPassword(const char *password, long len) /* LDAP auth mode */ - if ((CC->ldap_dn) && (!CtdlTryPasswordLDAP(CC->ldap_dn, password))) { + if ((CCC->ldap_dn) && (!CtdlTryPasswordLDAP(CCC->ldap_dn, password))) { code = 0; } else { @@ -1008,11 +1009,11 @@ int CtdlTryPassword(const char *password, long len) pw = (char*) malloc(len + 1); memcpy(pw, password, len + 1); strproc(pw); - strproc(CC->user.password); - code = strcasecmp(CC->user.password, pw); + strproc(CCC->user.password); + code = strcasecmp(CCC->user.password, pw); strproc(pw); - strproc(CC->user.password); - code = strcasecmp(CC->user.password, pw); + strproc(CCC->user.password); + code = strcasecmp(CCC->user.password, pw); free (pw); } @@ -1020,7 +1021,16 @@ int CtdlTryPassword(const char *password, long len) do_login(); return pass_ok; } else { - syslog(LOG_WARNING, "Bad password specified for <%s>\n", CC->curr_user); + syslog(LOG_WARNING, "Bad password specified for <%s> Service <%s> Port <%ld> Remote <%s / %s>\n", + CCC->curr_user, + CCC->ServiceName, + CCC->tcp_port, + CCC->cs_host, + CCC->cs_addr); + + +//citserver[5610]: Bad password specified for Service Remote + return pass_wrong_password; } } -- 2.30.2