Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Email that user is blocked - but seems ok in db
11-25-2018, 04:45 AM,
#1
Email that user is blocked - but seems ok in db
Hi all, I’ve got a public facing demo site and I have a demo user with restricted privileges and I freely provide the login credentials. A couple times in the past year the system has sent a notice saying the account had been blocked, but “Blocked” is still “0” in the database. Does anyone have any idea what is going on? Fwiw, I’m running recent code (less than a month old) on PHP 7.2 with current MariaDb.

Cheers,
Dale
http://www.dalescott.net
Reply
11-25-2018, 11:35 AM,
#2
RE: Email that user is blocked - but seems ok in db
I don't know that webERP sends a blocked email... is this something from the ISP/host perhaps?
Reply
11-25-2018, 04:25 PM,
#3
RE: Email that user is blocked - but seems ok in db
Where is the code is that blocks users if they enter a bad password too many times? Here’s the full email:

——

From: "www.dalescott.net" <www@dalescott.net>
Date: November 24, 2018 at 6:35:17 AM PST
To: dale@dalescott.net
Subject: User access blocked auditor

User ID auditor - appleton - has been blocked access at 2018-11-24 07:35:15 from IP 68.80.250.215 due to too many failed attempts.

——

If WebERP doesn’t email when it blocks a user, clearly I will need to review the other web apps I’m hosting (WordPress, ProjeQtOr, SuiteCRM, MantisBT and Time Tracker).
http://www.dalescott.net
Reply
11-25-2018, 10:12 PM, (This post was last modified: 11-25-2018, 10:17 PM by VortecCPI.)
#4
RE: Email that user is blocked - but seems ok in db
UserLogin.php on line 250 (git version)

   
https://www.linkedin.com/in/eclipsepaulbecker
Reply
11-26-2018, 02:08 AM, (This post was last modified: 11-26-2018, 03:21 AM by TurboPT.)
#5
RE: Email that user is blocked - but seems ok in db
Ah, there we go, thanks Paul! (and Dale for the email sample)

Will have to check the handling, though it seems that if blocked is still 0, then the Update at line 243 must not have been successful?

I realize that my sysadmin email is not set, which is why I'm not aware of the email. Rolleyes

=====

Dale, can you check:
  1. If there might be any error logging?
  2. If the AuditTrail is enabled, does that query exist? Should be around the same date/time of the email.
...and at the risk of having not asked, is there any CRON, trigger, or event schedule established that could be resetting the blocked value?

=====

A basic test of that area appears to be ok for me:

Code:
// error logging added to check the flow
[Sun Nov 25 11:49:53.164714 2018] [php7:notice] [pid 5460:tid 1972] [client ::1:13092] invalid login, referer: http://localhost/webERPgit/index.php
[Sun Nov 25 11:50:11.115807 2018] [php7:notice] [pid 5460:tid 1972] [client ::1:13095] invalid login, referer: http://localhost/webERPgit/index.php
[Sun Nov 25 11:50:21.878688 2018] [php7:notice] [pid 5460:tid 1972] [client ::1:13097] invalid login, referer: http://localhost/webERPgit/index.php
[Sun Nov 25 11:50:27.625743 2018] [php7:notice] [pid 5460:tid 1972] [client ::1:13099] invalid login, referer: http://localhost/webERPgit/index.php
[Sun Nov 25 11:50:38.093704 2018] [php7:notice] [pid 5460:tid 1972] [client ::1:13101] invalid login, referer: http://localhost/webERPgit/index.php

[Sun Nov 25 11:50:38.093704 2018] [php7:notice] [pid 5460:tid 1972] [client ::1:13101] too may failures, setting blocked, referer: http://localhost/webERPgit/index.php

After the 'too many failures', the blocked was set to 1.

Is there more to know about the demo user's 'restricted privileges'?
What are the demo user settings, so that I can try the same?
Reply
12-03-2018, 03:53 PM, (This post was last modified: 12-03-2018, 04:07 PM by dalescott.)
#6
RE: Email that user is blocked - but seems ok in db
Hi @TuroboPT, sorry for my slow response, I was off-line for a week while on family travel. I found a number of "blocked user" notices in my inbox this morning (see screenshot).

   

The apache error log includes only one entry pertaining to WebERP around that time, although it occurs 15 minutes after the emails were received.

Code:
dale@whizzer:~ % tail /var/log/httpd-error.log | grep -i weberp
[Sun Dec 02 11:15:20.450080 2018] [php7:error] [pid 56832] [client 37.115.188.53:62191] script '/usr/local/www/weberp/xmlrpc.php' not found or unable to stat

The apache access log shows a number of GETs for CSS (log file filtered for WebERP accesses).

Code:
141.0.8.106 - - [02/Dec/2018:10:58:01 -0700] "GET /css/xenos/images/background.jpg HTTP/1.1" 404 229
141.0.8.106 - - [02/Dec/2018:10:58:16 -0700] "GET /css/default/login.css HTTP/1.1" 200 1184
141.0.8.106 - - [02/Dec/2018:10:58:16 -0700] "GET /css/default/images/background.jpg HTTP/1.1" 200 854238
66.102.8.150 - - [02/Dec/2018:10:58:54 -0700] "GET /css/xenos/login.css HTTP/1.1" 200 2785
107.167.108.210 - - [02/Dec/2018:10:58:54 -0700] "GET /css/webERP.gif HTTP/1.1" 200 1627
107.167.108.210 - - [02/Dec/2018:10:58:55 -0700] "GET /css/xenos/images/background.jpg HTTP/1.1" 404 229
107.167.108.210 - - [02/Dec/2018:10:58:56 -0700] "GET /css/default/login.css HTTP/1.1" 200 1184
107.167.108.210 - - [02/Dec/2018:10:58:57 -0700] "GET /css/default/images/background.jpg HTTP/1.1" 200 854238

For what it's worth, it appears there is a brute force Wordpress login attack at the same time (indeed, it appears from the access log that I am the target of almost continual Wordpress login attacks).

Please clarify how AuditTrail is enabled. I will enable AuditTrail if it is not already, to be ready for the next incident.

I do not have any CRON jobs, and the database is plain vanilla with no triggers or events.

The email I initially reported in this post provided the login user and password that I provide on my website to access the demo. However, the emails this morning refer to user ID "2004" and do not include a password.

Regards,
Dale
http://www.dalescott.net
Reply
12-03-2018, 06:34 PM,
#7
RE: Email that user is blocked - but seems ok in db
The demo user cannot be blocked by repeated bad logins. Maybe as well as not setting blocked to 1 we could not send the email for the demo user?. This was because people with too much time on their hands, and automated bots were continually blocking demo sites by randomly trying to login.

If it is a public facing demo it is generally a good idea to stop Google and others from indexing it so it is not picked up by automated bots.

Tim
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)