rfe #1694104 Allow logging of user status with Apache.

2009-03-03 16:20:41 +00:00
parent cb47ae8d3c
commit 49036e6003
6 changed files with 65 additions and 1 deletions
--- a/1
+++ b/1
@@ -40,6 +40,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 + rfe #2186820 Explanation for using Host table.
 + rfe #1369509 Link to download more themes.
 + rfe #1666487 Add option to generate password on change password page.
+ rfe #1694104 Allow logging of user status with Apache.

 3.1.4.0 (not yet released)
 + patch #1808339 [doc] Apache SSLOptions and StdEnvVars FAQ,
--- a/Documentation.html
+++ b/Documentation.html
@@ -4127,6 +4127,36 @@ chmod o+rwx tmp
    <a href="http://www.phpmyadmin.net/home_page/security.php">http://www.phpmyadmin.net/home_page/security.php</a>
 </p>

+<h4 id="faq8_2">
+    <a href="#faq8_2">8.2 How can I protect phpMyAdmin against brute force attacks?</a></h4>
+
+<p> If you use Apache web server, phpMyAdmin exports information about 
+    authentication to Apache environment and it can be used in Apache logs.
+    Currently there are two variables available:
+</p>
+<dl>
+    <dt><code>userID</code></dt>
+    <dd>User name of currently active user (he does not have to be logged
+    in).</dd>
+    <dt><code>userStatus</code></dt>
+    <dd>Status of currently active user, one of <code>ok</code> (user is 
+    logged in), <code>mysql-denied</code> (MySQL denied user login),
+    <code>allow-denied</code> (user denied by allow/deny rules),
+    <code>root-denied</code> (root is denied in configuration),
+    <code>empty-denied</code> (empty password is denied).
+</dl>
+<p>
+    <code>LogFormat</code> directive for Apache can look like following:
+</p>
+<pre>
+LogFormat "%h %l %u %t \"%r\" %>s %b \
+\"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n"   pma_combined
+</pre>
+<p>
+    You can then use any log analyzing tools to detect possible break in
+    attempts.
+</p>
+
 <!-- DEVELOPERS -->
 <h2 id="developers">Developers Information</h2>

--- a/libraries/common.inc.php
+++ b/libraries/common.inc.php
@@ -810,6 +810,8 @@ if (! defined('PMA_MINIMUM_COMMON')) {
         */
        require_once './libraries/database_interface.lib.php';

+        require_once './libraries/logging.lib.php';
+
        // Gets the authentication library that fits the $cfg['Server'] settings
        // and run authentication

@@ -870,7 +872,8 @@ if (! defined('PMA_MINIMUM_COMMON')) {

            // Ejects the user if banished
            if ($allowDeny_forbidden) {
-               PMA_auth_fails();
+                PMA_log_user($cfg['Server']['user'], 'allow-denied');
+                PMA_auth_fails();
            }
            unset($allowDeny_forbidden); //Clean up after you!
        } // end if
@@ -878,6 +881,7 @@ if (! defined('PMA_MINIMUM_COMMON')) {
        // is root allowed?
        if (!$cfg['Server']['AllowRoot'] && $cfg['Server']['user'] == 'root') {
            $allowDeny_forbidden = true;
+            PMA_log_user($cfg['Server']['user'], 'root-denied');
            PMA_auth_fails();
            unset($allowDeny_forbidden); //Clean up after you!
        }
@@ -885,6 +889,7 @@ if (! defined('PMA_MINIMUM_COMMON')) {
        // is a login without password allowed?
        if (!$cfg['Server']['AllowNoPassword'] && $cfg['Server']['password'] == '') {
            $login_without_password_is_forbidden = true;
+            PMA_log_user($cfg['Server']['user'], 'empty-denied');
            PMA_auth_fails();
            unset($login_without_password_is_forbidden); //Clean up after you!
        }
@@ -907,6 +912,9 @@ if (! defined('PMA_MINIMUM_COMMON')) {
            $controllink = $userlink;
        }

+        /* Log success */
+        PMA_log_user($cfg['Server']['user']);
+
        /**
         * with phpMyAdmin 3 we support MySQL >=5
         * but only production releases:
--- a/libraries/dbi/mysql.dbi.lib.php
+++ b/libraries/dbi/mysql.dbi.lib.php
@@ -10,6 +10,8 @@ if (! defined('PHPMYADMIN')) {
    exit;
 }

+require_once './libraries/logging.lib.php';
+
 /**
 * MySQL client API
 */
@@ -85,6 +87,7 @@ function PMA_DBI_connect($user, $password, $is_controluser = false)
            trigger_error($GLOBALS['strControluserFailed'], E_USER_WARNING);
            return false;
        }
+        PMA_log_user($user, 'mysql-denied');
        PMA_auth_fails();
    } // end if

--- a/libraries/dbi/mysqli.dbi.lib.php
+++ b/libraries/dbi/mysqli.dbi.lib.php
@@ -10,6 +10,8 @@ if (! defined('PHPMYADMIN')) {
    exit;
 }

+require_once './libraries/logging.lib.php';
+
 /**
 * MySQL client API
 */
@@ -97,6 +99,7 @@ function PMA_DBI_connect($user, $password, $is_controluser = false)
            trigger_error($GLOBALS['strControluserFailed'], E_USER_WARNING);
            return false;
        }
+        PMA_log_user($user, 'mysql-denied');
        PMA_auth_fails();
    } // end if

--- a/libraries/logging.lib.php
+++ b/libraries/logging.lib.php
@@ -0,0 +1,19 @@
+<?php
+/* vim: set expandtab sw=4 ts=4 sts=4: */
+/**
+ * Logging functionality for webserver.
+ *
+ * This includes web server specific code to log some information.
+ *
+ * @version $Id: common.inc.php 12268 2009-03-02 16:19:36Z lem9 $
+ * @package phpMyAdmin
+ */
+
+function PMA_log_user($user, $status = 'ok'){
+    if (function_exists('apache_note')) {
+        apache_note('userID', $user);
+        apache_note('userStatus', $status);
+    }
+}
+
+?>