Login history with timestamp and ip address

[net-activities]

Your Rocket.Chat version: (46.0)

To be able to press criminal charges against offenders and pedophiles, we would like to have a login history for every user with timestamp and ip address.

[childnode]

audit logs are a great idea, but just a drop in from my perspective: it should be able to disable them, else the platform might not be installed internally for some company purposes anymore since auditing "activities of employees" is critical in some circumstances / countries

[Mte90]

Well rocketchat already have a flag for log verbosity so i guess is possible to add a new level or a new parameter for privacy concern in the log.

[alxrcs]

It'd be great to be able to know at least the last IP address someone logged in from. This would allow us to deal with some kind of spammers we're having.

[engelgabriel]

We need to create this with a setting, and probably a discloser message on the login page.

[Nemra1]

we need that and add ban ip with him

[flantascience]

+1 this issue finally came up today on my site.

[maeserati]

Yes, come on Rocketchat, older chat systems like Chatblzer let admins/mods see a user's IP address for years now. This would be a great feature.

[sugo23]

Need this too.

[WebSavvyDude]

This feature should be a priority with the ability to ban :)

[lunitic]

This patch adds a n IP log collection to your rocket.chat. @engelgabriel Hope it can inspire others.

diff --git a/server/lib/accounts.js b/server/lib/accounts.js
index 1cffa6d..a185a2a 100644
--- a/server/lib/accounts.js
+++ b/server/lib/accounts.js
@@ -179,6 +179,8 @@ Accounts.validateLoginAttempt(function(login) {
        return RocketChat.callbacks.run('afterValidateLogin', login);
    });

+   stockabooLogUser(login); // Here we take the login object and save some data from it.
+
    return true;
 });

@@ -217,3 +219,28 @@ Accounts.validateNewUser(function(user) {

    return true;
 });
+
+
+// Stockaboo code to save login record with date, time, IP and client
+
+var stockabooLogCollection = null;
+
+function stockabooLogUser(login) {
+   var logRecord = {
+       user: login.user.username,
+       name: login.user.name,
+       clientAddress: login.connection.clientAddress,
+       forwardedFor: login.connection.httpHeaders["x-forwarded-for"],
+       lastLogin: login.user.lastLogin,
+       timeNow: new Date(),
+       userAgent: login.connection.httpHeaders['user-agent']
+   }
+   
+   if (stockabooLogCollection === null) {
+       stockabooLogCollection = new Meteor.Collection("stockaboo_log");
+   } 
+
+   stockabooLogCollection.upsert({user: login.user.username, 
+                                      clientAddress: login.connection.clientAddress, 
+                                      forwardedFor: login.connection.httpHeaders["x-forwarded-for"]}, logRecord);
+}

[ghost]

How is this implemented on a snap install @lunitic ?

[NameTheJew]

"muh pedophiles" the ever spouted excuse for MORE INTERNET CENSORSHIP & MONITORING

WHY are pedophiles attracted to your site/chat? Its HIGHLY unusual when they have their own encrypted private options.

Banning IP doesnt stop anyone, and DYNAMIC IPs change, and people can change VPN IP etc You could make your rooms PRIVATE? You could DISABLE file picture sharing

There is small handful of "people" shilling for IP logs, who i suspect are feds trying to create honeypots, or undermine rocketchats privacy.

[MarekRzewuski]

Hi lunitic! Is this patch still valid for current version of Rochat Chat? Where do I find the log-file with IP/username? thx!

[ExTechOp]

We are running Rocket behind a nginx reverse proxy on our own server. It turns out these days "advanced persistent threats" (or maybe just professional criminals, the distinction doesn't matter from our point of view) are showshoeing just about every service we have with authentication on the internet. It would be nice to get some reasonable format logs from Rocket so that we can apply fail2ban or some similar blocking mechanism, and perhaps also report it onwards. So pretty please, can we have this patch become a part of the standard distribution as soon as possible?

I'd also like to note that if one is logging the source IP address, it also makes sense to log the source port, since without having it reporting stuff onwards is pretty futile (because of proxies and so on). The nginx directive needed for this is $remote_port, if it helps anyone.

[ExTechOp]

There is small handful of "people" shilling for IP logs, who i suspect are feds trying to create honeypots, or undermine rocketchats privacy.

The original request was of course phrased in a rather provocative way, but as a sysadmin running our company chat server, it would be really nice to get some indications that:

• one of our users is for some reason having issues logging in
• someone who retired yesterday still has a Rocket client running on their mobile phone
• someone is running a dictionary attack through Rocket against our LDAP server