[ZendTo] Failed to unlock user $user as did not match usernameRegexp from preferences.php

Massimo Forni Massimo.Forni at turboden.it
Tue Jul 21 15:30:21 BST 2020 

+1 for this.
I've set up our elasticsearch cluster to send an email notification in case an Active Directory user lockout


From: ZendTo <zendto-bounces at zend.to> On Behalf Of Marlon Deerr via ZendTo
Sent: martedì 21 luglio 2020 15:54
To: 'Jules' <Jules at Zend.To>; ZendTo Users <zendto at zend.to>
Cc: Marlon Deerr <MDeerr at hshlawyers.com>
Subject: Re: [ZendTo] Failed to unlock user $user as did not match usernameRegexp from preferences.php

Jules,

Awesome. Glad I was able to help.

As for your explanation, it makes perfect sense now. If only everyone in the world was really nice and had no knowledge of brute force attacks.

With that said however, as for not showing the message to let the user know that they have been locked out, is there a way for an email to be sent to the administrator (maybe an option that can be turned on/off by the admin) whenever someone's account has been locked. This way if I am the admin, I am full aware of who's account was locked before they even generate a ticket to me. Receiving a notification email of this can be a feature I choose to turn on or off if I don't want to be notified but will rather manually check logs on my own schedule to see what's happening on my ZendTo server.




From: Jules [mailto:Jules at Zend.To]
Sent: Tuesday, July 21, 2020 9:43 AM
To: ZendTo Users <zendto at zend.to<mailto:zendto at zend.to>>
Cc: Marlon Deerr <MDeerr at hshlawyers.com<mailto:MDeerr at hshlawyers.com>>
Subject: Re: [ZendTo] Failed to unlock user $user as did not match usernameRegexp from preferences.php

Marlon,

You are doing a thorough job of this, thank you!

I have fixed the bug(s) you described. It now behaves exactly as expected, including the logging. This will be in the next release.

As for the feature request, the current behaviour is by design.
Someone nasty (a "bad actor" in the jargon) is using your ZendTo site to brute-force break your password.
They keep trying different passwords, but always get the same simple "incorrect" response.
They don't know ZendTo very well, and don't know your configuration settings at all.
As a result, they can't tell if or when they should give up trying to break your username/password, and try some other username instead.

As soon as you display *anything* different, the attacker knows the lock-out limit has been reached and so they should abandon their current attempt and try another one.

So you *never* give away any hints as to why the login attempt failed, beyond a simple fixed error message.

It logs it in the ZendTo log (/var/log/zendto/zendto.log is the file that the "System Log" button shows you the end of), so you can check there.

Cheers,
Jules.

P.S. The "start" and "expiry" date/time selectors on the "Request a drop-off" form are nearly there. I just want to tidy up that page design layout, it's a bit of a mess and I would prefer it to use a grid or two and a flex box like the "new drop-off" form now does.
On 21/07/2020 13:45, Marlon Deerr via ZendTo wrote:
Hi Jules,

I was testing ZendTo. I wanted to see what the log files will report when a user is locked out after 10 unsuccessful login attempts. I noticed that the log file (I think) is incorrectly reporting that a user was not unlocked after administratively unlocking the account, when in fact the user was successfully unlocked. Here are the steps I performed.


  1.  Purposely attempted to log in as a user with incorrect password 10 times
  2.  Logged in as an admin user and examined the System Logs
  3.  System Log file successfully identified this locked user
  4.  Clicked on "Unlock User" from the main screen and selected the user to unlock and unlocked her
  5.  Examined the System Logs again, but this time it said "Failed to unlock user $user as did not match usernameRegexp from preferences.php"
  6.  Logged out as the administrator user
  7.  Tried logged in as this "supposedly" locked user BUT the login was successful.


Does this mean that the System Log file is incorrectly reporting that the user was not unlocked, when in fact the user was unlocked?

ALSO: Feature Request (if possible)

When a user is approaching the maximum allowed failed login attempts can you include a message that


  1.  Warns the user that you have x more attempts before you get locked out (where x is a number)
  2.  After the user has failed to login after 10 attempts, instead of just saying "Authentication Error. The username or password was incorrect", can it not say something like "Authentication Error. You have attempted more than the allowed failed attempts to log in. Your account therefore has been locked. Please contact your administrator to have it unlocked"

While testing this feature above, I found that I was not keeping track of how many times I made a failed login and must have tried over and over again waiting for a message to let me now that I was locked out.  I think having such a message will help reduce IT Tickets from staff wondering why they can't log in. They may not even know they have been locked out.


_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://jul.es/mailman/listinfo/zendto<https://urldefense.com/v3/__http:/jul.es/mailman/listinfo/zendto__;!!BYEqwblc0Q!jCBn-WiNh7WoO449qiyB_5KcE5QLYQi385j6eKoA6reZuwaubjVMkyXv1CMM0BbOFGHncw$>


Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



The current UK shipping forecast:

Trafalgar: Cyclonic 6 to gale 8 at first in southeast, otherwise northerly 5

to 7, becoming variable 3 or 4 in southeast. Moderate or rough, occasionally

very rough. Thundery showers. Good, occasionally poor.



www.Zend.To<https://urldefense.com/v3/__http:/www.Zend.To__;!!BYEqwblc0Q!jCBn-WiNh7WoO449qiyB_5KcE5QLYQi385j6eKoA6reZuwaubjVMkyXv1CMM0BbQRNjxEQ$>

Twitter: @JulesFM

--

Massimo Forni
ICT Infrastructure Manager

Mobile: +393474110278

________________________________

Turboden S.p.A. I via Cernaia 10 I 25124 Brescia I Italy
t. +39 030 3552001 I f. +39 030 3552011
www.turboden.com<http://www.turboden.com>


Confidentiality notice: this message, together with its attachments, may contain strictly confidential and/or legally privileged information and it is destined solely to the intended addressee(s), who only may use it under his/their responsibility. Opinions, conclusions and other information contained in this message, that do not relate to the official business of this firm, shall be considered as not given or endorsed by it. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Any use, disclosure, copying or distribution of the contents of this communication by a not-intended recipient or in violation of the purposes of this communication is strictly prohibited and may be unlawful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200721/c5a14682/attachment-0001.html>

More information about the ZendTo mailing list