nextcloud / password_policy

:lock: Let the admin define certain rules for passwords, e.g. a minimum length
GNU Affero General Public License v3.0
36 stars 19 forks source link

Add logging for blocked user accounts #244

Open mzed2k opened 3 years ago

mzed2k commented 3 years ago

Steps to reproduce

  1. Set "login attempts before the user account is blocked" to 5
  2. Try to login using wrong password 5x
  3. User account gets disabled

Expected behaviour

If user account gets disabled report it in the nextcloud.log to make it clear who disabled the user. As an add on a admin notification would be super.

Actual behaviour

Incidence not reported in nextcloud.log, no notification.

Server configuration detail

Operating system: Linux 3.10.0-1127.18.2.el7.x86_64 #1 SMP Sun Jul 26 15:27:06 UTC 2020 x86_64

Webserver: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.24 (apache2handler)

Database: mysql 10.3.13

PHP version:

7.2.24 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, bcmath, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, intl, json, ldap, exif, mysqlnd, PDO, Phar, posix, shmop, SimpleXML, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlwriter, xsl, zip, mysqli, pdo_mysql, pdo_sqlite, wddx, xmlreader, apcu, imagick, Zend OPcache

Nextcloud version: 19.0.13 - 19.0.13.1

Updated from an older Nextcloud/ownCloud or fresh install: updated

Where did you install Nextcloud from: github

Signing status Array ( )
List of activated apps ``` Enabled: - activity: 2.12.1 - checksum: 0.4.5 - cloud_federation_api: 1.2.0 - comments: 1.9.0 - customproperties: 1.0.1 - data_request: 1.6.0 - dav: 1.15.0 - extract: 1.3.2 - federatedfilesharing: 1.9.0 - files: 1.14.0 - files_accesscontrol: 1.9.3 - files_automatedtagging: 1.9.1 - files_downloadactivity: 1.8.0 - files_pdfviewer: 1.8.0 - files_retention: 1.8.2 - files_rightclick: 0.16.0 - files_sharing: 1.11.0 - files_videoplayer: 1.8.0 - flowupload: 1.1.2 - guests: 1.6.3 - impersonate: 1.6.1 - issuetemplate: 0.7.0 - logreader: 2.4.0 - lookup_server_connector: 1.7.0 - metadata: 0.14.0 - music: 1.2.1 - notifications: 2.7.0 - oauth2: 1.7.0 - password_policy: 1.9.1 - privacy: 1.3.0 - provisioning_api: 1.9.0 - quota_warning: 1.8.0 - ransomware_protection: 1.7.1 - serverinfo: 1.9.0 - settings: 1.1.0 - systemtags: 1.9.0 - terms_of_service: 1.5.2 - text: 3.0.1 - theming: 1.10.0 - twofactor_backupcodes: 1.8.0 - updatenotification: 1.9.0 - viewer: 1.3.0 - workflow_script: 1.4.1 - workflowengine: 2.1.0 Disabled: - accessibility - admin_audit - contactsinteraction - encryption - federation - files_antivirus - files_external - files_trackdownloads - files_trashbin - files_versions - firstrunwizard - nextcloud_announcements - photos - recommendations - sharebymail - support - survey_client - user_ldap ```
Configuration (config/config.php) ``` { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "transfer.***REMOVED SENSITIVE VALUE***" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "19.0.13.1", "overwrite.cli.url": "http:\/\/transfer.br.de", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "mail_smtpmode": "smtp", "mail_sendmailmode": "smtp", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "theme": "", "loglevel": 2, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25" } ```

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Operating system: Windows 10

joshtrichards commented 7 months ago

If someone wishes to attempt to add this, it should probably go here:

https://github.com/nextcloud/password_policy/blob/5d00442d320f1a0695e18bb653555f92a4ada9c8/lib/FailedLoginCompliance.php#L74-L78

https://docs.nextcloud.com/server/latest/developer_manual/basics/logging.html