fix: [Alert on suspicious logins] disabled by default

- requires logs table to be better indexed currently to not be a bottleneck (user_id and action fields) - Will be made default in an upcoming version once the performance issues are resolved
2023-12-01 22:10:50 +01:00 · 2023-12-01 22:10:50 +01:00 · 4215285443
parent 34105dba0f
commit 4215285443
2 changed files with 30 additions and 21 deletions
--- a/app/Controller/UsersController.php
+++ b/app/Controller/UsersController.php
@ -1350,28 +1350,29 @@ class UsersController extends AppController
            $readableDatetime = (new DateTime())->setTimestamp($lastUserLogin)->format('D, d M y H:i:s O'); // RFC822
            $this->Flash->info(__('Welcome! Last login was on %s', $readableDatetime));
        }
-
-        try {
-            // there are reasons to believe there is evil happening, suspicious. Inform user and (org)admins.
-            $suspiciousness_reason = $this->User->UserLoginProfile->_isSuspicious();
-            if ($suspiciousness_reason) {
-                // raise an alert (the SIEM component should ensure (org)admins are informed)
-                $this->loadModel('Log');
-                $this->Log->createLogEntry($this->Auth->user(), 'auth_alert', 'User', $this->Auth->user('id'), 'Suspicious login.', $suspiciousness_reason);
-                // Line below commented out to NOT inform user/org admin of the suspicious login.
-                // The reason is that we want to prevent other user actions cause trouble. 
-                // However this also means we're sitting on data that could be used to detect new evil logins.
-                // As we're generating alerts, the sysadmin should be keeping an eye on these
-                // $this->User->UserLoginProfile->email_suspicious($user, $suspiciousness_reason);
+        if (Configure::read('Security.alert_on_suspicious_logins')) {
+            try {
+                // there are reasons to believe there is evil happening, suspicious. Inform user and (org)admins.
+                $suspiciousness_reason = $this->User->UserLoginProfile->_isSuspicious();
+                if ($suspiciousness_reason) {
+                    // raise an alert (the SIEM component should ensure (org)admins are informed)
+                    $this->loadModel('Log');
+                    $this->Log->createLogEntry($this->Auth->user(), 'auth_alert', 'User', $this->Auth->user('id'), 'Suspicious login.', $suspiciousness_reason);
+                    // Line below commented out to NOT inform user/org admin of the suspicious login.
+                    // The reason is that we want to prevent other user actions cause trouble. 
+                    // However this also means we're sitting on data that could be used to detect new evil logins.
+                    // As we're generating alerts, the sysadmin should be keeping an eye on these
+                    // $this->User->UserLoginProfile->email_suspicious($user, $suspiciousness_reason);
+                }
+                // verify UserLoginProfile trust status and perform informative actions
+                if (!$this->User->UserLoginProfile->_isTrusted()) {
+                    // send email to inform the user
+                    $this->User->UserLoginProfile->email_newlogin($user);
+                }
+            } catch (Exception $e) {
+                // At first login after code update and before DB schema update we might end up with problems.
+                // Just catch it cleanly here to prevent problems.
            }
-            // verify UserLoginProfile trust status and perform informative actions
-            if(!$this->User->UserLoginProfile->_isTrusted()) {
-                // send email to inform the user
-                $this->User->UserLoginProfile->email_newlogin($user);
-            }
-        } catch (Exception $e) {
-            // At first login after code update and before DB schema update we might end up with problems.
-            // Just catch it cleanly here to prevent problems.
        }

        // no state changes are ever done via GET requests, so it is safe to return to the original page:
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@ -6322,6 +6322,14 @@ class Server extends AppModel
                    'editable' => false,
                    'redacted' => true
                ),
+                'alert_on_suspicious_logins' => [
+                    'level' => 1,
+                    'description' => __('When enabled, MISP will alert users of logins from new devices / suspicious logins. Please make sure that your logs table has additional indexes (on the user_id and action fields) for this not to be a performance bottleneck for now (expected to be resolved soon).'),
+                    'value' => false,
+                    'null' => true,
+                    'test' => 'testBool',
+                    'type' => 'boolean',
+                ],
                'log_each_individual_auth_fail' => [
                    'level' => 1,
                    'description' => __('By default API authentication failures that happen within the same hour for the same key are omitted and a single log entry is generated. This allows administrators to more easily keep track of attackers that try to brute force API authentication, by reducing the noise generated by expired API keys. On the other hand, this makes little sense for internal MISP instances where detecting the misconfiguration of tools becomes more interesting, so if you fall into the latter category, enable this feature.'),