Event: OnUserLoggedOn(oClient)

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply

I would like a new event OnUserLoggedOn(oClient)

Yes
3
75%
Don't care
1
25%
 
Total votes: 4

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Event: OnUserLoggedOn(oClient)

Post by RvdH » 2014-06-05 09:43

I would love to have an eventhandler 'OnUserLoggedOn(oClient)' added that would made it (easily) possible for me to determine what user is connecting and how often on specific port, from some IPaddress as i have the feeling some clients are hammering my server, logging in every 30sec or so

The values that should be available, would be:
  • oClient.IPaddress
    oClient.Port
    oClient.Username
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Event: OnUserLoggedOn(oClient)

Post by Bill48105 » 2014-06-05 14:09

RvdH wrote:I would love to have an eventhandler 'OnUserLoggedOn(oClient)' added that would made it (easily) possible for me to determine what user is connecting and how often on specific port, from some IPaddress as i have the feeling some clients are hammering my server, logging in every 30sec or so

The values that should be available, would be:
  • oClient.IPaddress
    oClient.Port
    oClient.Username
Not sure it's posted but this is one of the many new events I'd like to add at some point along with onloginfail onlogin among a few others. (Event names subject to change)
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Event: OnUserLoggedOn(oClient)

Post by RvdH » 2014-06-10 18:38

Hi Bill48105,

Until those script events are added would it be possible for you to to add such features in your experimental builds?

I am thinking about logging to /Logs/userlogins.txt and there log all successful/failed login attempts (for all protocols and ports)
Example:

[2014-06-10 10:53:14]: Failed login for info@domainname.com.nl from 111.111.111.111 on port 25
[2014-06-10 10:53:32]: Successful login for info@domainname.com from 111.111.111.111 on port 465

RvdH
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Event: OnUserLoggedOn(oClient)

Post by Bill48105 » 2014-06-11 17:10

RvdH wrote:Hi Bill48105,

Until those script events are added would it be possible for you to to add such features in your experimental builds?

I am thinking about logging to /Logs/userlogins.txt and there log all successful/failed login attempts (for all protocols and ports)
Example:

[2014-06-10 10:53:14]: Failed login for info@domainname.com.nl from 111.111.111.111 on port 25
[2014-06-10 10:53:32]: Successful login for info@domainname.com from 111.111.111.111 on port 465

RvdH
Right I am referring to my experimental builds as I have no direct access to the official source (it's a fork of the official on github now) and I can't make official releases myself anyway. But adding events isn't exactly trivial & unlikely to happen any time soon unless my schedule loosens up a bit.

Indeed built-in logging for logins would be useful aside from login events.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Event: OnUserLoggedOn(oClient)

Post by estradis » 2015-04-21 10:20

I also need this Event very urgent, because our hmail is under attack daily with IP addresses originated in russia and china.
Is there a timeline when these events will be implemented?

I tried to catch the OnError event, but it doesn't catch these failures.
(Seems that "Authentication failure" is not an error ...)

User avatar
jimimaseye
Moderator
Moderator
Posts: 8118
Joined: 2011-09-08 17:48

Re: Event: OnUserLoggedOn(oClient)

Post by jimimaseye » 2015-04-21 22:26

Read here: viewtopic.php?p=163328#p163328

and you will find a solution Im sure.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Event: OnUserLoggedOn(oClient)

Post by estradis » 2015-08-05 10:21

jimimaseye wrote:Read here: viewtopic.php?p=163328#p163328

and you will find a solution Im sure.
It helped only by implementing GeoIP, but I still needed this Event until now. Meanwhile I created a monitor service on the logfiles which fires an own event when some search patterns matched to log lines. So I can handle each connection and not only authenticated sessions or authentication failures. With this service I was able to implement a reputation db for each ip address remembering what it did on our server. This enables me to forecast the most connections and drop the su****s out before they can post anything.

Although I strongly recommend to implement this event asap regardless of any "quick and dirty" workarounds. It is a security feature and security should always be implemented!

User avatar
mattg
Moderator
Moderator
Posts: 20108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Event: OnUserLoggedOn(oClient)

Post by mattg » 2015-08-05 11:42

estradis wrote:It is a security feature and security should always be implemented!
Please explain why it is a security feature?

Please explain why the GeoIP doesn't work for you?
Please detail why you don't drop rubbish at your firewall...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Event: OnUserLoggedOn(oClient)

Post by estradis » 2015-08-05 15:33

mattg wrote:
estradis wrote:It is a security feature and security should always be implemented!
Please explain why it is a security feature?
Authentication failures are always security events, don't you agree?
mattg wrote:
estradis wrote:It helped only by implementing GeoIP
Please explain why the GeoIP doesn't work for you?
Maybe you misunderstood me. GeoIP helped, but it cannot handle authentication events, so it was only a small part.
mattg wrote:Please detail why you don't drop rubbish at your firewall...
We work in an ITIL environment. For each change on the firewall (and anything else) I have to work almost three days to create a change request in first with no guarantee to get it permitted. On my mailserver I'm pre-authorized to all changings of definitions or scripts to fight against spammers and intruders. Only once a month I have to report a summary.

Or in short words: I can handle it faster and easier on the mailserver.

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Event: OnUserLoggedOn(oClient)

Post by RvdH » 2015-08-05 17:40

Yep, that also why my concern when requesting this feature, a simple log files with all authentication request, both good and failures the determine issues on all configured ports
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Event: OnUserLoggedOn(oClient)

Post by SorenR » 2015-08-05 20:26

Check sourcecode and look for AccountLogon.cpp, AccountLogon::Logon is a common function for all protocols, so figuring out what exactly the client is logging on via... well, might be a challenge... IF the code attached is not able to provide the Port number :idea: .

But if the objective is to add two triggers, this is the most likely place... AND definitions for the triggers go in ScriptServer.cpp and ScriptServer.h - check for existing ones and Copy&Paste :!:

Suggestive code for subj..

Code: Select all

      if (Configuration::Instance()->GetUseScriptServer())
      {
         shared_ptr<ScriptObjectContainer> pContainer = shared_ptr<ScriptObjectContainer>(new ScriptObjectContainer);
         shared_ptr<Result> pResult = shared_ptr<Result>(new Result);
         shared_ptr<ClientInfo> pClientInfo = shared_ptr<ClientInfo>(new ClientInfo);

         pClientInfo->SetUsername(m_sUsername);
         pClientInfo->SetIPAddress(GetIPAddressString());
         pClientInfo->SetPort(GetLocalPort());
         pClientInfo->SetHELO(m_sHeloHost);

         pContainer->AddObject("HMAILSERVER_CLIENT", pClientInfo, ScriptObject::OTClient);
         pContainer->AddObject("Result", pResult, ScriptObject::OTResult);

         String sEventCaller = "OnUserLoggedOn(HMAILSERVER_CLIENT)";
         ScriptServer::Instance()->FireEvent(ScriptServer::EventOnUserLoggedOn, sEventCaller, pContainer);
      }   
Disclaimer:
It's not my fault - any of it! And if it is - I am not liable as I already told you; "it's not my fault".
All rights reserved - but some wrongs are still available.
I don't suffer from insanity. I enjoy every minute of it.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Event: OnUserLoggedOn(oClient)

Post by mattg » 2015-08-06 00:14

estradis wrote:Authentication failures are always security events, don't you agree?
Not for a second.
many authentication failures are users getting their password wrong.
I use Autoban to manage this.
estradis wrote:
mattg wrote:Please detail why you don't drop rubbish at your firewall...
We work in an ITIL environment. For each change on the firewall (and anything else) I have to work almost three days to create a change request in first with no guarantee to get it permitted. On my mailserver I'm pre-authorized to all changings of definitions or scripts to fight against spammers and intruders. Only once a month I have to report a summary.

Or in short words: I can handle it faster and easier on the mailserver.
SO you want me to run more code on my hmailserver (and every other user) so that you have less work / better outcomes..?

Why don't you create your own branch of the source code to do what you need, then that won't affect what I do >> https://github.com/hmailserver/hmailserver
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Event: OnUserLoggedOn(oClient)

Post by RvdH » 2015-08-06 00:41

Wouldn't you agree it would be easier to monitor logins, both good and failures and log these separately then having to scroll and search through who knows how many lines of log entries?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 20108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Event: OnUserLoggedOn(oClient)

Post by mattg » 2015-08-06 09:24

Yes some times
But other times it is good to check logs in chronological order

I tend to use Doom's excellent log analyser >> http://log.damnation.org.uk/ when checking logs
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Event: OnUserLoggedOn(oClient)

Post by RvdH » 2015-08-06 09:34

Yes a am aware of existence of that site, very useful indeed! Use that one as well from time to time
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Event: OnUserLoggedOn(oClient)

Post by estradis » 2015-08-06 09:39

mattg wrote:
estradis wrote:Authentication failures are always security events, don't you agree?
Not for a second.
many authentication failures are users getting their password wrong.
I use Autoban to manage this.

...

SO you want me to run more code on my hmailserver (and every other user) so that you have less work / better outcomes..?

Why don't you create your own branch of the source code to do what you need, then that won't affect what I do >> https://github.com/hmailserver/hmailserver
This means the event won't come ever?

User avatar
mattg
Moderator
Moderator
Posts: 20108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Event: OnUserLoggedOn(oClient)

Post by mattg » 2015-08-06 10:04

I've just added a voting panel to the original post
Please feel free to vote
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Event: OnUserLoggedOn(oClient)

Post by RvdH » 2015-08-06 12:40

I voted yes, but instead by doing this with a to be developed by event called something like: OnUserLoggedOn(oClient) i would settle by any method of logging these items separately. I don't care if it is by Script or done inside the actual server application itself
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Event: OnUserLoggedOn(oClient)

Post by estradis » 2015-08-07 11:52

RvdH wrote:I voted yes, but instead by doing this with a to be developed by event called something like: OnUserLoggedOn(oClient) i would settle by any method of logging these items separately. I don't care if it is by Script or done inside the actual server application itself
I voted yes, too. Regardless on other services running or not, the event would be a good trigger to react on time. (I observerd, that the logfile will sometimes be written delayed. In case of intrusion it might be to late!)

mattg wrote:I've just added a voting panel to the original post
Please feel free to vote
As I did. Thank you.

User avatar
SorenR
Senior user
Senior user
Posts: 3183
Joined: 2006-08-21 15:38
Location: Denmark

Re: Event: OnUserLoggedOn(oClient)

Post by SorenR » 2015-08-07 12:24

mattg wrote:SO you want me to run more code on my hmailserver (and every other user) so that you have less work / better outcomes..?
Matt... Adding a script trigger to handle this would probably add 1-2 seconds of total execution time over a 10 year period - if you don't use the trigger... Effectively we are talking about an "IF" statement :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Post Reply