Event: OnUserLoggedOn(oClient)

[RvdH]

I would love to have an eventhandler 'OnUserLoggedOn(oClient)' added that would made it (easily) possible for me to determine what user is connecting and how often on specific port, from some IPaddress as i have the feeling some clients are hammering my server, logging in every 30sec or so

The values that should be available, would be:

• oClient.IPaddress
  oClient.Port
  oClient.Username

[Bill48105]

I would love to have an eventhandler 'OnUserLoggedOn(oClient)' added that would made it (easily) possible for me to determine what user is connecting and how often on specific port, from some IPaddress as i have the feeling some clients are hammering my server, logging in every 30sec or so

The values that should be available, would be:

• oClient.IPaddress
  oClient.Port
  oClient.Username

Not sure it's posted but this is one of the many new events I'd like to add at some point along with onloginfail onlogin among a few others. (Event names subject to change)

[RvdH]

Hi Bill48105,

Until those script events are added would it be possible for you to to add such features in your experimental builds?

I am thinking about logging to /Logs/userlogins.txt and there log all successful/failed login attempts (for all protocols and ports)
Example:

[2014-06-10 10:53:14]: Failed login for info@domainname.com.nl from 111.111.111.111 on port 25
[2014-06-10 10:53:32]: Successful login for info@domainname.com from 111.111.111.111 on port 465

RvdH

[Bill48105]

Hi Bill48105,

Until those script events are added would it be possible for you to to add such features in your experimental builds?

I am thinking about logging to /Logs/userlogins.txt and there log all successful/failed login attempts (for all protocols and ports)
Example:

[2014-06-10 10:53:14]: Failed login for info@domainname.com.nl from 111.111.111.111 on port 25
[2014-06-10 10:53:32]: Successful login for info@domainname.com from 111.111.111.111 on port 465

RvdH

Right I am referring to my experimental builds as I have no direct access to the official source (it's a fork of the official on github now) and I can't make official releases myself anyway. But adding events isn't exactly trivial & unlikely to happen any time soon unless my schedule loosens up a bit.

Indeed built-in logging for logins would be useful aside from login events.
Bill

[estradis]

I also need this Event very urgent, because our hmail is under attack daily with IP addresses originated in russia and china.
Is there a timeline when these events will be implemented?

I tried to catch the OnError event, but it doesn't catch these failures.
(Seems that "Authentication failure" is not an error ...)

[jimimaseye]

Read here: viewtopic.php?p=163328#p163328

and you will find a solution Im sure.

[estradis]

Read here: viewtopic.php?p=163328#p163328

and you will find a solution Im sure.

It helped only by implementing GeoIP, but I still needed this Event until now. Meanwhile I created a monitor service on the logfiles which fires an own event when some search patterns matched to log lines. So I can handle each connection and not only authenticated sessions or authentication failures. With this service I was able to implement a reputation db for each ip address remembering what it did on our server. This enables me to forecast the most connections and drop the su****s out before they can post anything.

Although I strongly recommend to implement this event asap regardless of any "quick and dirty" workarounds. It is a security feature and security should always be implemented!

[mattg]

It is a security feature and security should always be implemented!

Please explain why it is a security feature?

Please explain why the GeoIP doesn't work for you?
Please detail why you don't drop rubbish at your firewall...

[estradis]

It is a security feature and security should always be implemented!

Please explain why it is a security feature?

Authentication failures are always security events, don't you agree?

It helped only by implementing GeoIP

Please explain why the GeoIP doesn't work for you?

Maybe you misunderstood me. GeoIP helped, but it cannot handle authentication events, so it was only a small part.

Please detail why you don't drop rubbish at your firewall...

We work in an ITIL environment. For each change on the firewall (and anything else) I have to work almost three days to create a change request in first with no guarantee to get it permitted. On my mailserver I'm pre-authorized to all changings of definitions or scripts to fight against spammers and intruders. Only once a month I have to report a summary.

Or in short words: I can handle it faster and easier on the mailserver.

[RvdH]

Yep, that also why my concern when requesting this feature, a simple log files with all authentication request, both good and failures the determine issues on all configured ports

[SorenR]

Check sourcecode and look for AccountLogon.cpp, AccountLogon::Logon is a common function for all protocols, so figuring out what exactly the client is logging on via... well, might be a challenge... IF the code attached is not able to provide the Port number .

But if the objective is to add two triggers, this is the most likely place... AND definitions for the triggers go in ScriptServer.cpp and ScriptServer.h - check for existing ones and Copy&Paste

Suggestive code for subj..

Code: Select all

      if (Configuration::Instance()->GetUseScriptServer())
      {
         shared_ptr<ScriptObjectContainer> pContainer = shared_ptr<ScriptObjectContainer>(new ScriptObjectContainer);
         shared_ptr<Result> pResult = shared_ptr<Result>(new Result);
         shared_ptr<ClientInfo> pClientInfo = shared_ptr<ClientInfo>(new ClientInfo);

         pClientInfo->SetUsername(m_sUsername);
         pClientInfo->SetIPAddress(GetIPAddressString());
         pClientInfo->SetPort(GetLocalPort());
         pClientInfo->SetHELO(m_sHeloHost);

         pContainer->AddObject("HMAILSERVER_CLIENT", pClientInfo, ScriptObject::OTClient);
         pContainer->AddObject("Result", pResult, ScriptObject::OTResult);

         String sEventCaller = "OnUserLoggedOn(HMAILSERVER_CLIENT)";
         ScriptServer::Instance()->FireEvent(ScriptServer::EventOnUserLoggedOn, sEventCaller, pContainer);
      }   

Disclaimer:
It's not my fault - any of it! And if it is - I am not liable as I already told you; "it's not my fault".
All rights reserved - but some wrongs are still available.
I don't suffer from insanity. I enjoy every minute of it.

[mattg]

Authentication failures are always security events, don't you agree?

Not for a second.
many authentication failures are users getting their password wrong.
I use Autoban to manage this.

Please detail why you don't drop rubbish at your firewall...

We work in an ITIL environment. For each change on the firewall (and anything else) I have to work almost three days to create a change request in first with no guarantee to get it permitted. On my mailserver I'm pre-authorized to all changings of definitions or scripts to fight against spammers and intruders. Only once a month I have to report a summary.

Or in short words: I can handle it faster and easier on the mailserver.

SO you want me to run more code on my hmailserver (and every other user) so that you have less work / better outcomes..?

Why don't you create your own branch of the source code to do what you need, then that won't affect what I do >> https://github.com/hmailserver/hmailserver

[RvdH]

Wouldn't you agree it would be easier to monitor logins, both good and failures and log these separately then having to scroll and search through who knows how many lines of log entries?

[mattg]

Yes some times
But other times it is good to check logs in chronological order

I tend to use Doom's excellent log analyser >> http://log.damnation.org.uk/ when checking logs

[RvdH]

Yes a am aware of existence of that site, very useful indeed! Use that one as well from time to time

[estradis]

Authentication failures are always security events, don't you agree?

Not for a second.
many authentication failures are users getting their password wrong.
I use Autoban to manage this.

...

SO you want me to run more code on my hmailserver (and every other user) so that you have less work / better outcomes..?

Why don't you create your own branch of the source code to do what you need, then that won't affect what I do >> https://github.com/hmailserver/hmailserver

This means the event won't come ever?

[mattg]

I've just added a voting panel to the original post
Please feel free to vote

[RvdH]

I voted yes, but instead by doing this with a to be developed by event called something like: OnUserLoggedOn(oClient) i would settle by any method of logging these items separately. I don't care if it is by Script or done inside the actual server application itself

[estradis]

I voted yes, but instead by doing this with a to be developed by event called something like: OnUserLoggedOn(oClient) i would settle by any method of logging these items separately. I don't care if it is by Script or done inside the actual server application itself

I voted yes, too. Regardless on other services running or not, the event would be a good trigger to react on time. (I observerd, that the logfile will sometimes be written delayed. In case of intrusion it might be to late!)

I've just added a voting panel to the original post
Please feel free to vote

As I did. Thank you.

[SorenR]

SO you want me to run more code on my hmailserver (and every other user) so that you have less work / better outcomes..?

Matt... Adding a script trigger to handle this would probably add 1-2 seconds of total execution time over a 10 year period - if you don't use the trigger... Effectively we are talking about an "IF" statement