Hello - I'm looking for some help, and am making a suggestion.

My suggestion is simple: osTicket needs full reCaptcha support.

Why? We run a public osTicket installation (recently upgraded to 1.12), and someone has decided to run a distributed brute-force attack against it. They appear to have automated this across approx. 3,000+ systems distributed globally, but primarily in Russia, China, and North America. They're guessing passwords against legitimate accounts and appear to coordinate with each other as they cycle accounts. We use the LDAP plugin for account authentication against OpenLDAP.

From the Apache logs, I see over 3,000 unique IPs POSTing to /scp/login.php, but do not see anything helpful like "failed attempt against ID xyz from IP abc". In order to see what was happening I use Apache mod_security to dump and log POSTed data, but this is not great for server performance, doesn't tell me if an attempt succeeded or failed, etc.

I speculate that because they're using so many unique IPs, and because they're using many different IDs when attempting to login, that it's not triggering the "X failed logins in Y time" logic and not effectively blocking the attack.

I'm wondering:

  1. What built-in functionality, plugins, or mods should I be aware of that might help?
  2. How can I enable (preferably) reCaptcha on all pages where authentication takes place, for agents AND users? This should effectively stop the brute-force attack.
  3. How can I output log messages to a file (file or syslog, but database/email logs are not helpful to me) indicating that a failed login attempt has occurred? I need to know the ID they attempted and the source IP of the attempting system. This would enable me to use Fail2Ban to dynamically firewall bad-actors.

If the attack were not distributed, this would be much easier as I could just block IPs that visit the login page too many times a day.. but some IPs only hit it once or twice a day, much like a typical user would.

Looking for ideas..

Thanks

Re 1.

It sounds like you are already aware of the built in rate limits. Additionally there is a captcha at Admin panel -> Settings -> Tickets: Human Verification* It is not as good as reCaptcha but it might slow them down further. It requires the gdlib library.

Re 2.
This is a totally legitimate concern. Sadly osTicket does not currently have reCaptcha support. It was being worked on a while back here is a link to the changes that former Dev Jared added to work on it.

https://github.com/osTicket/osTicket-plugins/pull/55/files/8863f6ad180a828cef8c113d4ab98ef31657a912..01cea8dee7a817313ab3be62fef905c238488e60

While I have not tried this code personally (and it was written for the 1.10.x branch it might work. So if you want to take some time and try it, you might be pleasantly surprised.

Re 3.
The System Logs in osTicket does not have an export feature currently. So I am not aware of any way to export the auth logs to a stand alone file. You could probably write a quick-n-dirty php script to query the database and save it to a file. They are located in the ost_syslog table.

Write a Reply...