Page MenuHomePhabricator
Create Task
Maniphest T36914

LoginAuthenticateAudit should be extended to also report access attempts blocked by anti-spam extensions
Open, LowPublicFeature
Actions

Description

Author: carlb613

Description:
There is a hook [[mw:manual:hook/LoginAuthenticateAudit]] which is currently called with (username, password, status) to report a status of any one of:
a) user logged in successfully
b) user supplied a bad password
c) user requested an e-mail password reset link

This hook is used by [[mw:Extension:Fail2banlog]] to ban (at the server firewall level) IPs which attempt brute-force attacks which repeatedly try to log in with bad passwords.

Unfortunately, it only detects access attempts blocked by core code and then only on login attempts. There are many more attempts to access the wiki in some way (edit, registration, upload...) which are blocked not by core code but by extensions hooked into any or all of the following:

  • edit: ([[mw:Manual:Hooks/EditFilter|EditFilter]], [[mw:Manual:Hooks/EditFilterMerged|EditFilterMerged]], [[mwLManual:Hooks/APIEditBeforeSave|APIEditBeforeSave]])
  • login and registration [[Manual:Hooks/AbortLogin|AbortLogin]], [[Manual:Hooks/AbortNewAccount|AbortNewAccount]]
  • move: [[Manual:Hooks/AbortMove|AbortMove]]
  • upload: [[Manual:Hooks/UploadVerification|UploadVerification]]
  • delete: [[Manual:Hooks/ArticleDelete|ArticleDelete]]

Each of these hooks has some means (such as returning 'false' or setting $error to a non-null string) to reject an edit or other access attempt as spam.

Perhaps [[Manual:Hooks/LoginAuthenticateAudit|LoginAuthenticateAudit]] should have one extra event code added to indicate each of these actions (edit, login, register, move, upload) being rejected by an extension due to abuse.

That way, if [[mw:extension:SpamBlacklist]] were repeatedly rejecting edits due to spam URL's in the message payload, or [[mw:extension:ConfirmEdit]] were reporting repeated wrong answers to CAPTCHAs, [[mw:extension:fail2banlog]] could block the offending IPs once and for all.

Version: 1.20.x
Severity: enhancement
URL: http://www.mediawiki.org/wiki/Thread:Extension_talk:ConfirmEdit/SimpleCaptcha_now_useless#SimpleCaptcha_now_useless_12717
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=41522
https://bugzilla.wikimedia.org/show_bug.cgi?id=46292

Details

Reference
bz34914

Related Objects

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 12:19 AM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz34914.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Mar 2 2012, 11:41 PM
He7d3r mentioned this in T43522: Provide a log of actions which trigger the CAPTCHA.Mar 18 2015, 2:31 PM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 11:14 AM
Aklapper removed a subscriber: wikibugs-l-list.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL