Logging users vs. ip address
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
Logging users vs. ip address
by Andrew Daviel-3
::
Rate this Message:
We have been having problems with compromised accounts used for spamming, and I needed to track user logins against client ip address. The remote address turns up in the Message-ID, e.g. <port>.<ipv4a.b.c.d>.nnnn.squirrel... and in Apache access_log, but those don't give the username. imapd syslog gives the username, but lists 127.0.0.1 as the address. Correlating timestamps was painful, so I hacked squirrelmail. I'm sure there's a better, more elegant way, probably already done by someone - maybe "Squirrel Logger" plugin which I hadn't found when I wrote this. But for what it's worth: patch aginst squirrelmail-1.4.8-5.el4 (Latest RedHat Enterprise 4 package) - generates a simple greppable file of logins and logouts : --- /usr/share/squirrelmail/src/redirect.php.orig 2009-01-20 21:21:31.000000000 -0800 +++ /usr/share/squirrelmail/src/redirect.php 2009-10-23 16:56:03.000000000 -0700 @@ -99,7 +99,11 @@ sqsession_register ($username, 'username'); sqsetcookie('key', $key, 0, $base_uri); do_hook ('login_verified'); - + if ($logfile = fopen('/var/log/squirrelmail/session.log','a+') ) { + $logline = date('Y-m-d H:i:s ') . $_SERVER['REMOTE_ADDR'] . ' login ' . $username . "\n"; + fputs($logfile, $logline, strlen($logline) ); + fclose($logfile); + } } /* Set the login variables. */ --- /usr/share/squirrelmail/src/signout.php.orig 2006-07-30 12:37:38.000000000 -0700 +++ /usr/share/squirrelmail/src/signout.php 2009-10-23 18:10:51.000000000 -0700 @@ -43,6 +43,11 @@ } do_hook('logout'); +if ($logfile = fopen('/var/log/squirrelmail/session.log','a+') ) { + $logline = date('Y-m-d H:i:s ') . $_SERVER['REMOTE_ADDR'] . ' logout ' . $username . "\n"; + fputs($logfile, $logline, strlen($logline) ); + fclose($logfile); +} sqsession_destroy(); --------------------- /var/log/squirrelmail needs to exist, writable by apache (PHP is not my choice of scripting language, so this is way crude ...) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: Logging users vs. ip address
by Tomas Kuliavas
::
Rate this Message:
2009.11.03 23:08 Andrew Daviel rašė:
> > We have been having problems with compromised accounts used for spamming, > and I needed to track user logins against client ip address. > > The remote address turns up in the Message-ID, e.g. > <port>.<ipv4a.b.c.d>.nnnn.squirrel... > and in Apache access_log, but those don't give the username. > imapd syslog gives the username, but lists 127.0.0.1 as the address. > Correlating timestamps was painful, so I hacked squirrelmail. > > I'm sure there's a better, more elegant way, probably already done by > someone - maybe "Squirrel Logger" plugin which I hadn't found when I > wrote this. But for what it's worth: > > patch aginst squirrelmail-1.4.8-5.el4 (Latest RedHat Enterprise 4 > package) - generates a simple greppable file of logins and logouts : > > > --- /usr/share/squirrelmail/src/redirect.php.orig 2009-01-20 > 21:21:31.000000000 -0800 > +++ /usr/share/squirrelmail/src/redirect.php 2009-10-23 > 16:56:03.000000000 -0700 > @@ -99,7 +99,11 @@ > sqsession_register ($username, 'username'); > sqsetcookie('key', $key, 0, $base_uri); > do_hook ('login_verified'); > - > + if ($logfile = fopen('/var/log/squirrelmail/session.log','a+') ) { > + $logline = date('Y-m-d H:i:s ') . $_SERVER['REMOTE_ADDR'] . ' login > ' . $username . "\n"; > + fputs($logfile, $logline, strlen($logline) ); > + fclose($logfile); > + } > } > > /* Set the login variables. */ > --- /usr/share/squirrelmail/src/signout.php.orig 2006-07-30 > 12:37:38.000000000 -0700 > +++ /usr/share/squirrelmail/src/signout.php 2009-10-23 > 18:10:51.000000000 -0700 > @@ -43,6 +43,11 @@ > } > > do_hook('logout'); > +if ($logfile = fopen('/var/log/squirrelmail/session.log','a+') ) { > + $logline = date('Y-m-d H:i:s ') . $_SERVER['REMOTE_ADDR'] . ' logout ' > . $username . "\n"; > + fputs($logfile, $logline, strlen($logline) ); > + fclose($logfile); > +} > > sqsession_destroy(); > > --------------------- > /var/log/squirrelmail needs to exist, writable by apache > (PHP is not my choice of scripting language, so this is way crude ...) See PHP error_log() and syslog() documentation. There is no need to do fopen stuff. date() is sensitive to timezone. Not good for logs. you should also log login failures. Your both changes are added right after hook calls. There is no need to modify SquirrelMail code. Plugin can be attached to those hooks. -- Tomas ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: Logging users vs. ip address
by Paul Lesniewski
::
Rate this Message:
On Tue, Nov 3, 2009 at 1:08 PM, Andrew Daviel <advax@...> wrote:
> > We have been having problems with compromised accounts used for spamming, > and I needed to track user logins against client ip address. > > The remote address turns up in the Message-ID, e.g. > <port>.<ipv4a.b.c.d>.nnnn.squirrel... > and in Apache access_log, but those don't give the username. > imapd syslog gives the username, but lists 127.0.0.1 as the address. > Correlating timestamps was painful, so I hacked squirrelmail. > > I'm sure there's a better, more elegant way, probably already done by > someone - maybe "Squirrel Logger" plugin which I hadn't found Yep, that's the one you want that does what you're trying to do in a much better way. You also want Restrict Senders and maybe Lockout and/or CAPTCHA > when I > wrote this. But for what it's worth: > > patch aginst squirrelmail-1.4.8-5.el4 (Latest RedHat Enterprise 4 > package) - generates a simple greppable file of logins and logouts : > > > --- /usr/share/squirrelmail/src/redirect.php.orig 2009-01-20 > 21:21:31.000000000 -0800 > +++ /usr/share/squirrelmail/src/redirect.php 2009-10-23 > 16:56:03.000000000 -0700 > @@ -99,7 +99,11 @@ > sqsession_register ($username, 'username'); > sqsetcookie('key', $key, 0, $base_uri); > do_hook ('login_verified'); > - > + if ($logfile = fopen('/var/log/squirrelmail/session.log','a+') ) { > + $logline = date('Y-m-d H:i:s ') . $_SERVER['REMOTE_ADDR'] . ' login ' . $username . "\n"; > + fputs($logfile, $logline, strlen($logline) ); > + fclose($logfile); > + } > } > > /* Set the login variables. */ > --- /usr/share/squirrelmail/src/signout.php.orig 2006-07-30 > 12:37:38.000000000 -0700 > +++ /usr/share/squirrelmail/src/signout.php 2009-10-23 > 18:10:51.000000000 -0700 > @@ -43,6 +43,11 @@ > } > > do_hook('logout'); > +if ($logfile = fopen('/var/log/squirrelmail/session.log','a+') ) { > + $logline = date('Y-m-d H:i:s ') . $_SERVER['REMOTE_ADDR'] . ' logout ' . $username . "\n"; > + fputs($logfile, $logline, strlen($logline) ); > + fclose($logfile); > +} > > sqsession_destroy(); > > --------------------- > /var/log/squirrelmail needs to exist, writable by apache > (PHP is not my choice of scripting language, so this is way crude ...) -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
"Undefined variable: charset" messages
by Andrew Daviel-3
::
Rate this Message:
(in a previous version I hacked squirrelmail to stop these; I forget what I did and now they're back after an update. Obviously it's better to get the code fixed or find the underlying problem...) I get a ton of PHP warnings in https/ssl_error_log, viz. PHP Notice: Undefined variable: charset in /usr/share/squirrelmail/functions/mime.php on line 317, referer: ...squirrelmail/src/right_main.php any ideas ? Seems to me like $charset is not getting transferred into formatBody() from whereever. RedHat Enterprise 4 (compatible) php-4.3.9-3.22.15.i386 squirrelmail-1.4.8-5.el4_8.8.noarch -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: Logging users vs. ip address
by Andrew Daviel-3
::
Rate this Message:
On Wed, 4 Nov 2009, Tomas Kuliavas wrote:
>> I'm sure there's a better, more elegant way, probably already done by >> someone - maybe "Squirrel Logger" plugin which I hadn't found when I >> wrote this. But for what it's worth: > Your both changes are added right after hook calls. There is no need to > modify SquirrelMail code. Plugin can be attached to those hooks. That's just me hacking something without actually understanding it :-) I just installed the logger plugin and that's writing to a file OK. But I can't get the syslog or email alerting to work - if I cause an error (deliberate login failure) I get a blank page for squirrelmail/src/redirect.php I installed the compatability plugin per the docs (requires patching SquirrelMail it seems) but still no good. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: Logging users vs. ip address
by Paul Lesniewski
::
Rate this Message:
On Thu, Nov 5, 2009 at 4:12 PM, Andrew Daviel <advax@...> wrote:
> On Wed, 4 Nov 2009, Tomas Kuliavas wrote: > >>> I'm sure there's a better, more elegant way, probably already done by >>> someone - maybe "Squirrel Logger" plugin which I hadn't found when I >>> wrote this. But for what it's worth: > >> Your both changes are added right after hook calls. There is no need to >> modify SquirrelMail code. Plugin can be attached to those hooks. > > That's just me hacking something without actually understanding it :-) > > I just installed the logger plugin and that's writing to a file OK. > But I can't get the syslog or email alerting to work - if I cause an > error (deliberate login failure) I get a blank page for > squirrelmail/src/redirect.php http://squirrelmail.org/docs/admin/admin-11.html#blankpage > I installed the compatability plugin per the docs (requires patching > SquirrelMail it seems) Only if using out-of-date version of SM > but still no good. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: "Undefined variable: charset" messages
by Paul Lesniewski
::
Rate this Message:
On Thu, Nov 5, 2009 at 4:12 PM, Andrew Daviel <advax@...> wrote:
> > (in a previous version I hacked squirrelmail to stop these; I forget what > I did and now they're back after an update. Obviously it's better to get > the code fixed or find the underlying problem...) > > I get a ton of PHP warnings in https/ssl_error_log, viz. > > PHP Notice: Undefined variable: charset in > /usr/share/squirrelmail/functions/mime.php on line 317, referer: > ...squirrelmail/src/right_main.php > > any ideas ? > > Seems to me like $charset is not getting transferred into formatBody() > from whereever. > > RedHat Enterprise 4 (compatible) > php-4.3.9-3.22.15.i386 > squirrelmail-1.4.8-5.el4_8.8.noarch Unless you can reproduce using the latest SM code, you need to contact RedHat. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: "Undefined variable: charset" messages
by Tomas Kuliavas
::
Rate this Message:
2009.11.06 02:12 Andrew Daviel rašė:
> > (in a previous version I hacked squirrelmail to stop these; I forget what > I did and now they're back after an update. Obviously it's better to get > the code fixed or find the underlying problem...) > > I get a ton of PHP warnings in https/ssl_error_log, viz. > > PHP Notice: Undefined variable: charset in > /usr/share/squirrelmail/functions/mime.php on line 317, referer: > ...squirrelmail/src/right_main.php > > any ideas ? > > Seems to me like $charset is not getting transferred into formatBody() > from whereever. > > RedHat Enterprise 4 (compatible) > php-4.3.9-3.22.15.i386 > squirrelmail-1.4.8-5.el4_8.8.noarch Fedora removed squirrelmail-1.4.8-IE-Japanese-download-ugly-hack.patch two years ago. Looks like new package maintainer decided to keep it in RHEL packages and even extended it. Patch is broken. Ask RH to remove it or explain all modifications to upstream. They don't have to explain modification in SendDownloadHeaders() function, but even there they are testing only for Japanese, when problem also exists in Korean and Chinese. -- Tomas ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
| Free embeddable forum powered by Nabble | Forum Help |
