Log Failed Logins in MODX

A MODX forum user asked for a way to log failed logins when a user comMODX logoplained that they were entering the correct credentials and sometimes not getting in. Here’s a small plugin that will write information to the log when a login fails.

Be sure to read the section below on security and privacy issues!

The plugin would also be useful for seeing if hackers are trying to log in to your site and look at their attempts.

The Plugin

This plugin (we’ll call it FailedLogin, though the name is arbitrary) should be connected to the OnBeforeWebLogin event, and also to OnBeforeManagerLogin if you want to log failed Manager logins. Just check those events on the System Events tab when editing the plugin. Be sure to save the plugin after checking them.

Here’s the code:

[code language=”php”]
$loginUser = $modx->getObject(‘modUser’, array(‘username’ => $username));
$msg = ”;
if (! $loginUser) {
/* User not found */
$msg = "[FailedLogin plugin] – User not found: {$username}";
} else {
/* User Found, check password */
/* Don’t log admin credentials */
if ($username == ‘yourusernamehere’) {
return true;
}
if (!$loginUser->passwordMatches($password)) {
/* Password is wrong */
$msg = "[FailedLogin plugin] – invalid password: {$password} for user: {$username}";
} else {
/* Login will be successful */
// $msg = "Successful login for user: {$user} with password: {$password}";
}

}

if (!empty($msg)) {
$modx->log(modX::LOG_LEVEL_ERROR, $msg);
}

/* Make sure we don’t interfere with the regular login process */
return true;
[/code]

 

Options

The code to log successful logins is commented out in the code above. You can uncomment it to add successful logins to the log.

You could also change the section that prevents the admin credentials from being logged to this inorder to prevent logging any administrator credentials:

[code]
if ($loginUser->isMember(‘Administrator’)) {
return true;
}
[/code]

If you only want to log brute-force hacking attempts, you can eliminate all your regular users from the log with this code:

[code]
/* List all your user groups here */
$groups = array(
‘Administrator’,
‘Editor’,
‘ForumMembers’,
);
if ($loginUser->isMember($groups)) {
return true;
}
[/code]

Do not include the (anonymous) user group in the list. Add the code carefully, if you create a syntax error, the plugin may crash and prevent anyone (including you) from logging in.

 

Disaster Recovery

If you make a mistake entering the code and are unable to log in, use PhpMyAdmin in cPanel to disable the plugin. Select the MODX database. Find the plugin in the modx_site_plugins table, change the value of the disabled field from
0 to 1, then click on the “Go” button. Delete all files in the core/cache directory before trying to log in.

 

Privacy and Security Issues

This code captures and logs both the usernames and the passwords of your users. You should be aware that this may violate your users’ expectations and their privacy.

Important! It’s also worth noting that the error log is a plain-text file on the server (core/cache/logs/error.log). In many installations, it can be viewed simply by going to http://yoursite.com/core/cache/logs/error.log. Be sure that it is protected from prying eyes, preferably by moving the MODX core above the web root where it can’t be accessed by outside users.

You can place the log messages in a custom log in another location with code like this:

[code language=”php”]
$log_target = array(
‘target’=>’FILE’,
‘options’ => array(
‘filepath’ => ‘path/to/directory/’,
‘filename’=>’my_custom.log’,
)
);

$modx->log(modX::LOG_LEVEL_ERROR, $msg, $log_target);
[/code]

The filepath must end in a slash, but it can be anywhere as long as the directory exists and is writable.

A simpler solution is to leave the error log where it is, rename the ht.access file in the MODX core directory to .htaccess, and change its content to this:

[code language=”html”]
IndexIgnore */*
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
<Files *.log>
Order Deny,Allow
Deny from all
</Files>
[/code]

That will prevent users from looking at any log files remotely.

 


For more information on how to use MODX to create a web site, see my web site Bob’s Guides, or
better yet, buy my book: MODX: The Official Guide.

Looking for quality MODX Web Hosting? Look no further than <a
href=”http://bit.ly/YgFGHl”>Arvixe Web Hosting!

Tags: , , , | Posted under MODX, MODX | RSS 2.0

Author Spotlight

Bob Ray

Bob Ray is the author of MODX: The Official Guide and over 30 MODX add-on components. He hosts Bob's Guides, a source of valuable information for MODX users, and has been very active in the MODX Forums with over 19,000 posts.

Leave a Reply

Your email address will not be published. Required fields are marked *