From 49036e6003b0410dd6f5eda5e179dbcd0abc8ae8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 3 Mar 2009 16:20:41 +0000 Subject: [PATCH] rfe #1694104 Allow logging of user status with Apache. --- ChangeLog | 1 + Documentation.html | 30 ++++++++++++++++++++++++++++++ libraries/common.inc.php | 10 +++++++++- libraries/dbi/mysql.dbi.lib.php | 3 +++ libraries/dbi/mysqli.dbi.lib.php | 3 +++ libraries/logging.lib.php | 19 +++++++++++++++++++ 6 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 libraries/logging.lib.php diff --git a/ChangeLog b/ChangeLog index 9e9b0e2340..bd71701112 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA + rfe #2186820 Explanation for using Host table. + rfe #1369509 Link to download more themes. + rfe #1666487 Add option to generate password on change password page. ++ rfe #1694104 Allow logging of user status with Apache. 3.1.4.0 (not yet released) + patch #1808339 [doc] Apache SSLOptions and StdEnvVars FAQ, diff --git a/Documentation.html b/Documentation.html index 53b2821f1a..d32cbaa503 100644 --- a/Documentation.html +++ b/Documentation.html @@ -4127,6 +4127,36 @@ chmod o+rwx tmp http://www.phpmyadmin.net/home_page/security.php

+

+ 8.2 How can I protect phpMyAdmin against brute force attacks?

+ +

If you use Apache web server, phpMyAdmin exports information about + authentication to Apache environment and it can be used in Apache logs. + Currently there are two variables available: +

+
+
userID
+
User name of currently active user (he does not have to be logged + in).
+
userStatus
+
Status of currently active user, one of ok (user is + logged in), mysql-denied (MySQL denied user login), + allow-denied (user denied by allow/deny rules), + root-denied (root is denied in configuration), + empty-denied (empty password is denied). +
+

+ LogFormat directive for Apache can look like following: +

+
+LogFormat "%h %l %u %t \"%r\" %>s %b \
+\"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n"   pma_combined
+
+

+ You can then use any log analyzing tools to detect possible break in + attempts. +

+

Developers Information

diff --git a/libraries/common.inc.php b/libraries/common.inc.php index 4726cd0121..dbcd99d9c6 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -810,6 +810,8 @@ if (! defined('PMA_MINIMUM_COMMON')) { */ require_once './libraries/database_interface.lib.php'; + require_once './libraries/logging.lib.php'; + // Gets the authentication library that fits the $cfg['Server'] settings // and run authentication @@ -870,7 +872,8 @@ if (! defined('PMA_MINIMUM_COMMON')) { // Ejects the user if banished if ($allowDeny_forbidden) { - PMA_auth_fails(); + PMA_log_user($cfg['Server']['user'], 'allow-denied'); + PMA_auth_fails(); } unset($allowDeny_forbidden); //Clean up after you! } // end if @@ -878,6 +881,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { // is root allowed? if (!$cfg['Server']['AllowRoot'] && $cfg['Server']['user'] == 'root') { $allowDeny_forbidden = true; + PMA_log_user($cfg['Server']['user'], 'root-denied'); PMA_auth_fails(); unset($allowDeny_forbidden); //Clean up after you! } @@ -885,6 +889,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { // is a login without password allowed? if (!$cfg['Server']['AllowNoPassword'] && $cfg['Server']['password'] == '') { $login_without_password_is_forbidden = true; + PMA_log_user($cfg['Server']['user'], 'empty-denied'); PMA_auth_fails(); unset($login_without_password_is_forbidden); //Clean up after you! } @@ -907,6 +912,9 @@ if (! defined('PMA_MINIMUM_COMMON')) { $controllink = $userlink; } + /* Log success */ + PMA_log_user($cfg['Server']['user']); + /** * with phpMyAdmin 3 we support MySQL >=5 * but only production releases: diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php index 0db781785d..1539614dad 100644 --- a/libraries/dbi/mysql.dbi.lib.php +++ b/libraries/dbi/mysql.dbi.lib.php @@ -10,6 +10,8 @@ if (! defined('PHPMYADMIN')) { exit; } +require_once './libraries/logging.lib.php'; + /** * MySQL client API */ @@ -85,6 +87,7 @@ function PMA_DBI_connect($user, $password, $is_controluser = false) trigger_error($GLOBALS['strControluserFailed'], E_USER_WARNING); return false; } + PMA_log_user($user, 'mysql-denied'); PMA_auth_fails(); } // end if diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php index b43d6dbae5..a781e6ad69 100644 --- a/libraries/dbi/mysqli.dbi.lib.php +++ b/libraries/dbi/mysqli.dbi.lib.php @@ -10,6 +10,8 @@ if (! defined('PHPMYADMIN')) { exit; } +require_once './libraries/logging.lib.php'; + /** * MySQL client API */ @@ -97,6 +99,7 @@ function PMA_DBI_connect($user, $password, $is_controluser = false) trigger_error($GLOBALS['strControluserFailed'], E_USER_WARNING); return false; } + PMA_log_user($user, 'mysql-denied'); PMA_auth_fails(); } // end if diff --git a/libraries/logging.lib.php b/libraries/logging.lib.php new file mode 100644 index 0000000000..e0f0eba2c0 --- /dev/null +++ b/libraries/logging.lib.php @@ -0,0 +1,19 @@ + -- 2.11.4.GIT