Security discussion

jiggs

Hey Everyone, I've been seeing in the system logs of osTicket, random invalid tokens from all over the world. I've added about 70,000 ip's to block via firewalld (running Ubuntu with apache). What are you all doing to block these types of scenarios? I understand this type of security is out of osTicket's scope, but am curious to what others are doing to protect against brute force type of logins? I would LOVE to get fail2ban working, but understand that the logs are part of the database. If I were to go the fail2ban route, how would I dump the logs of osTicket so they can be monitored by fail2ban? Or maybe there's a better route than fail2ban.

erichstrelow

Interesting topic.
The dump query should look something like this:
select created, ip_address, title from ost_syslog where log_type='Warning' and title like '%CSRF%' and created >= now() - INTERVAL 1 HOUR;
The warning field is a short description. The log field is the long description. They both might be language customized, so you must tune the conditions to your local language.

In my case, the apache is behind my cloud vendor middleware, so this query is useless (the client IP is always the same). The filtering can be done in the middleware anyway. There is a setting inside ost-config.php in order to take the HTTP_X_FORWARDED_FOR in account to workaround this, but I haven't done my homework here.

Anyhow, if you are using apache and Ubuntu, going for a geoip apache module should be a more powerful approach.