basic logging, adds logs folder to root dir

htaccess to block access to the logs
by default, only log warnings
simple config check to see if that folder is writable

warning if changeNoFee is used
warning if setLocked is used
warning if changeAdmin is used
warning if when logging in that IP is different than saved IP
info if a login fails with bad user or password
warning if a user is locked via failed logins
info if an update/etc fails with bad pin
warning if a user is locked via failed pins
info when a pin request is sent
warning when a pin request email doesn't send
warning when trying to request pin reset and incorrect password
info when a twofactor token sent
warning if twofactor email doesn't send
warning when a user tries to request multiple of the same type of token
info when a twofactor token is deleted
warning if a twofactor token fails to delete
warning when an invalid change password token is used
info on successful account update
warning when reset password is called and IP doesn't match saved IP, info otherwise
warning if isAuthenticated falls through and kills a session

Author: xisi

.gitignore

@@ -11,6 +11,7 @@
 # Logs
 /cronjobs/logs/*.txt
 /cronjobs/logs/*.txt.*.gz
+/logs/*
 
 # Test configs
 public/include/config/global.inc.scrypt.php

.htaccess

@@ -0,0 +1,3 @@
+ErrorDocument 404 /public/index.php?page=error&action=404
+RedirectMatch 404 /logs(/|$)
+Options -Indexes

logs/README.md

@@ -0,0 +1 @@
+hi

public/include/admin_checks.php

@@ -15,6 +15,12 @@
   }
 
   // setup checks
+  // logging
+  if ($config['logging']['enabled']) {
+    if (!is_writable($config['logging']['path'])) {
+      $error[] = "Logging is enabled but we can't write in the logging path";
+    }
+  }
   // check if memcache isn't available but enabled in config -> error
   if (!class_exists('Memcached') && $config['memcache']['enabled']) {
     $error[] = "You have memcache enabled in your config and it's not available. Install the package on your system.";

public/include/autoloader.inc.php

@@ -12,6 +12,9 @@
 // Default classes
 require_once(CLASS_DIR . '/debug.class.php');
 require_once(INCLUDE_DIR . '/lib/KLogger.php');
+if ($config['logging']['enabled']) {
+  $log = new KLogger($config['logging']['path']."/".$config['logging']['file'], $config['logging']['level']);
+}
 if ($config['mysql_filter']) {
   require_once(CLASS_DIR . '/strict.class.php');
 }

public/include/classes/base.class.php

@@ -19,6 +19,9 @@ public function getTableName() {
   public function setDebug($debug) {
     $this->debug = $debug;
   }
+  public function setLog($log) {
+    $this->log = $log;
+  }
   public function setMysql($mysqli) {
     $this->mysqli = $mysqli;
   }

public/include/classes/notification.class.php

@@ -120,6 +120,9 @@ public function updateSettings($account_id, $data) {
       $this->setErrorMessage($this->getErrorMsg('E0047', $failed));
       return $this->sqlError();
     }
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogInfo("User $account_id updated notification settings from [".$_SERVER['REMOTE_ADDR']."]");
+    }
     return true;
   }
 
@@ -154,6 +157,7 @@ public function sendNotification($account_id, $strType, $aMailData) {
 
 $notification = new Notification();
 $notification->setDebug($debug);
+$notification->setLog($log);
 $notification->setMysql($mysqli);
 $notification->setSmarty($smarty);
 $notification->setConfig($config);

public/include/classes/payout.class.php

@@ -41,8 +41,20 @@ public function createPayout($account_id=NULL, $strToken) {
       if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['withdraw']) {
         $tValid = $this->token->isTokenValid($account_id, $strToken, 7);
         if ($tValid) {
-          $this->token->deleteToken($strToken);
+          $delete = $this->token->deleteToken($strToken);
+          if ($delete) {
+            return true;
+          } else {
+            if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+              $this->log->LogInfo("User $account_id requested manual payout but the token deletion failed from [".$_SERVER['REMOTE_ADDR']."]");
+            }
+            $this->setErrorMessage('Unable to delete token');
+            return false;
+          }
         } else {
+          if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+            $this->log->LogInfo("User $account_id requested manual payout using an invalid token from [".$_SERVER['REMOTE_ADDR']."]");
+          }
           $this->setErrorMessage('Invalid token');
           return false;
         }
@@ -67,6 +79,7 @@ public function setProcessed($id) {
 
 $oPayout = new Payout();
 $oPayout->setDebug($debug);
+$oPayout->setLog($log);
 $oPayout->setMysql($mysqli);
 $oPayout->setConfig($config);
 $oPayout->setToken($oToken);

public/include/classes/user.class.php

@@ -69,14 +69,23 @@ public function getSignupTime($id) {
   }
   public function changeNoFee($id) {
     $field = array('name' => 'no_fees', 'type' => 'i', 'value' => !$this->isNoFee($id));
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogWarn($this->getUserName($id)." changed no_fees to ".$this->isNoFee($id)." from [".$_SERVER['REMOTE_ADDR']."]");
+    }
     return $this->updateSingle($id, $field);
   }
   public function setLocked($id, $value) {
     $field = array('name' => 'is_locked', 'type' => 'i', 'value' => $value);
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogWarn($this->getUserName($id)." changed is_locked to $value from [".$_SERVER['REMOTE_ADDR']."]");
+    }
     return $this->updateSingle($id, $field);
   }
   public function changeAdmin($id) {
     $field = array('name' => 'is_admin', 'type' => 'i', 'value' => !$this->isAdmin($id));
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogWarn($this->getUserName($id)." changed is_admin to ".$this->isAdmin($id)." from [".$_SERVER['REMOTE_ADDR']."]");
+    }
     return $this->updateSingle($id, $field);
   }
   public function setUserFailed($id, $value) {
@@ -145,6 +154,11 @@ public function checkLogin($username, $password) {
       $lastLoginTime = $this->getLastLogin($uid);
       $this->updateLoginTimestamp($uid);
       $getIPAddress = $this->getUserIp($uid);
+      if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+        if ($getIPAddress !== $_SERVER['REMOTE_ADDR']) {
+          $this->log->LogWarn("$username has logged in with a different IP [".$_SERVER['REMOTE_ADDR']."] saved is [$getIPAddress]");
+        }
+      }
       $setIPAddress = $this->setUserIp($uid, $_SERVER['REMOTE_ADDR']);
       $this->createSession($username, $getIPAddress, $lastLoginTime);
       if ($setIPAddress) {
@@ -172,11 +186,17 @@ public function checkLogin($username, $password) {
       }
     }
     $this->setErrorMessage("Invalid username or password");
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogInfo("$username failed login from [".$_SERVER['REMOTE_ADDR']."]");
+    }
     if ($id = $this->getUserId($username)) {
       $this->incUserFailed($id);
       // Check if this account should be locked
       if (isset($this->config['maxfailed']['login']) && $this->getUserFailed($id) >= $this->config['maxfailed']['login']) {
         $this->setLocked($id, 1);
+        if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+          $this->log->LogWarn("$username locked via failed logins from [".$_SERVER['REMOTE_ADDR']."] saved is [".$this->getUserIp($this->getUserId($username))."]");
+        }
         if ($token = $this->token->createToken('account_unlock', $id)) {
           $aData['token'] = $token;
           $aData['username'] = $username;
@@ -203,17 +223,23 @@ public function checkPin($userId, $pin=false) {
     $pin_hash = $this->getHash($pin);
     if ($stmt->bind_param('is', $userId, $pin_hash) && $stmt->execute() && $stmt->bind_result($row_pin) && $stmt->fetch()) {
       $this->setUserPinFailed($userId, 0);
-      return $pin_hash === $row_pin;
+      return ($pin_hash === $row_pin);
+    }
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogInfo($this->getUserName($userId)." incorrect pin from [".$_SERVER['REMOTE_ADDR']."]");
     }
     $this->incUserPinFailed($userId);
     // Check if this account should be locked
     if (isset($this->config['maxfailed']['pin']) && $this->getUserPinFailed($userId) >= $this->config['maxfailed']['pin']) {
       $this->setLocked($userId, 1);
+      if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+        $this->log->LogWarn($this->getUserName($userId)." was locked via incorrect pins from [".$_SERVER['REMOTE_ADDR']."]");
+      }
       if ($token = $this->token->createToken('account_unlock', $userId)) {
         $username = $this->getUserName($userId);
         $aData['token'] = $token;
         $aData['username'] = $username;
-        $aData['email'] = $this->getUserEmail($username);;
+        $aData['email'] = $this->getUserEmail($username);
         $aData['subject'] = 'Account auto-locked';
         $this->mail->sendMail('notifications/locked', $aData);
       }
@@ -234,17 +260,25 @@ public function generatePin($userID, $current) {
     $newpin = $this->getHash($newpin);
     $aData['subject'] = 'PIN Reset Request';
     $stmt = $this->mysqli->prepare("UPDATE $this->table SET pin = ? WHERE ( id = ? AND pass = ? )");
-
     if ($this->checkStmt($stmt) && $stmt->bind_param('sis', $newpin, $userID, $current) && $stmt->execute()) {
       if ($stmt->errno == 0 && $stmt->affected_rows === 1) {
         if ($this->mail->sendMail('pin/reset', $aData)) {
+          if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+            $this->log->LogInfo($this->getUserName($userID)." was sent a pin reset from [".$_SERVER['REMOTE_ADDR']."]");
+          }
           return true;
         } else {
+          if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+            $this->log->LogWarn($this->getUserName($userID)." request a pin reset but the mailing failed from [".$_SERVER['REMOTE_ADDR']."]");
+          }
           $this->setErrorMessage('Unable to send mail to your address');
           return false;
         }
       }
     }
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogWarn($this->getUserName($userID)." incorrect pin reset attempt from [".$_SERVER['REMOTE_ADDR']."]");
+    }
     $this->setErrorMessage( 'Unable to generate PIN, current password incorrect?' );
     return false;
 }
@@ -319,14 +353,23 @@ public function sendChangeConfigEmail($strType, $userID) {
       	default:
       	  $aData['subject'] = '';
       }
+      if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+        $this->log->LogInfo($this->getUserName($userID)." was sent a $strType token from [".$_SERVER['REMOTE_ADDR']."]");
+      }
       if ($this->mail->sendMail('notifications/'.$strType, $aData)) {
         return true;
       } else {
         $this->setErrorMessage('Failed to send the notification');
+        if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+          $this->log->LogWarn($this->getUserName($userID)." requested a $strType token but the mailing failed from [".$_SERVER['REMOTE_ADDR']."]");
+        }
         return false;
       }
     }
-    $this->setErrorMessage('A request has already been sent to your e-mail address. Please wait 10 minutes for it to expire.');
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogWarn($this->getUserName($userID)." attempted to request multiple $strType tokens from [".$_SERVER['REMOTE_ADDR']."]");
+    }
+    $this->setErrorMessage('A request has already been sent to your e-mail address. Please wait an hour for it to expire.');
     return false;
   }
 
@@ -351,25 +394,44 @@ public function updatePassword($userID, $current, $new1, $new2, $strToken) {
     }
     $current = $this->getHash($current);
     $new = $this->getHash($new1);
+    if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['changepw']) {
+      $tValid = $this->token->isTokenValid($userID, $strToken, 6);
+      if ($tValid) {
+        if ($this->token->deleteToken($strToken)) {
+          if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+            $this->log->LogInfo($this->getUserName($userID)." deleted change password token from [".$_SERVER['REMOTE_ADDR']."]");
+          }
+          // token deleted, continue
+        } else {
+          if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+            $this->log->LogWarn($this->getUserName($userID)." change password token failed to delete from [".$_SERVER['REMOTE_ADDR']."]");
+          }
+          $this->setErrorMessage('Token deletion failed');
+          return false;
+        }
+      } else {
+        if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+          $this->log->LogWarn($this->getUserName($userID)." attempted to use an invalid change password token from [".$_SERVER['REMOTE_ADDR']."]");
+        }
+        $this->setErrorMessage('Invalid token');
+        return false;
+      }
+    }
     $stmt = $this->mysqli->prepare("UPDATE $this->table SET pass = ? WHERE ( id = ? AND pass = ? )");
     if ($this->checkStmt($stmt)) {
       $stmt->bind_param('sis', $new, $userID, $current);
       $stmt->execute();
       if ($stmt->errno == 0 && $stmt->affected_rows === 1) {
-        // twofactor - consume the token if it is enabled and valid
-        if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['changepw']) {
-          $tValid = $this->token->isTokenValid($userID, $strToken, 6);
-          if ($tValid) {
-            $this->token->deleteToken($strToken);
-          } else {
-            $this->setErrorMessage('Invalid token');
-            return false;
-          }
+        if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+          $this->log->LogInfo($this->getUserName($userID)." updated password from [".$_SERVER['REMOTE_ADDR']."]");
         }
         return true;
       }
       $stmt->close();
     }
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogWarn($this->getUserName($userID)." incorrect password update attempt from [".$_SERVER['REMOTE_ADDR']."]");
+    }
     $this->setErrorMessage( 'Unable to update password, current password wrong?' );
     return false;
   }
@@ -434,20 +496,38 @@ public function updateAccount($userID, $address, $threshold, $donate, $email, $i
     $threshold = min($this->config['ap_threshold']['max'], max(0, floatval($threshold)));
     $donate = min(100, max(0, floatval($donate)));
 
-    // We passed all validation checks so update the account
-    $stmt = $this->mysqli->prepare("UPDATE $this->table SET coin_address = ?, ap_threshold = ?, donate_percent = ?, email = ?, is_anonymous = ? WHERE id = ?");
-    if ($this->checkStmt($stmt) && $stmt->bind_param('sddsii', $address, $threshold, $donate, $email, $is_anonymous, $userID) && $stmt->execute())
-      // twofactor - consume the token if it is enabled and valid
-      if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['details']) {
-        $tValid = $this->token->isTokenValid($userID, $strToken, 5);
-        if ($tValid) {
-          $this->token->deleteToken($strToken);
+    // twofactor - consume the token if it is enabled and valid
+    if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['details']) {
+      $tValid = $this->token->isTokenValid($userID, $strToken, 5);
+      if ($tValid) {
+        if ($this->token->deleteToken($strToken)) {
+          if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+            $this->log->LogInfo($this->getUserName($userID)." deleted account update token for [".$_SERVER['REMOTE_ADDR']."]");
+          }
         } else {
-          $this->setErrorMessage('Invalid token');
+          $this->setErrorMessage('Token deletion failed');
+          if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+            $this->log->LogWarn($this->getUserName($userID)." updated their account details but token deletion failed from [".$_SERVER['REMOTE_ADDR']."]");
+          }
           return false;
         }
+      } else {
+        $this->setErrorMessage('Invalid token');
+        if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+          $this->log->LogWarn($this->getUserName($userID)." attempted to use an invalid token account update token from [".$_SERVER['REMOTE_ADDR']."]");
+        }
+        return false;
+      }
+    }
+    
+    // We passed all validation checks so update the account
+    $stmt = $this->mysqli->prepare("UPDATE $this->table SET coin_address = ?, ap_threshold = ?, donate_percent = ?, email = ?, is_anonymous = ? WHERE id = ?");
+    if ($this->checkStmt($stmt) && $stmt->bind_param('sddsii', $address, $threshold, $donate, $email, $is_anonymous, $userID) && $stmt->execute()) {
+      if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+        $this->log->LogInfo($this->getUserName($userID)." updated their account details from [".$_SERVER['REMOTE_ADDR']."]");
       }
       return true;
+    }
     // Catchall
     $this->setErrorMessage('Failed to update your account');
     $this->debug->append('Account update failed: ' . $this->mysqli->error);
@@ -542,7 +622,7 @@ public function logoutUser() {
     $port = ($_SERVER["SERVER_PORT"] == "80" || $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
     $pushto = $_SERVER['SCRIPT_NAME'].'?page=login';
     $location = (@$_SERVER['HTTPS'] == 'on') ? 'https://' . $_SERVER['SERVER_NAME'] . $port . $pushto : 'http://' . $_SERVER['SERVER_NAME'] . $port . $pushto;
-    // if (!headers_sent()) header('Location: ' . $location);
+    if (!headers_sent()) header('Location: ' . $location);
     exit('<meta http-equiv="refresh" content="0; url=' . $location . '"/>');
   }
 
@@ -789,6 +869,13 @@ public function initResetPassword($username) {
     }
     $aData['username'] = $this->getUserName($this->getUserId($username, true));
     $aData['subject'] = 'Password Reset Request';
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      if ($_SERVER['REMOTE_ADDR'] !== $this->getUserIp($this->getUserId($username, true))) {
+        $this->log->LogWarn("$username requested password reset from [".$_SERVER['REMOTE_ADDR']."] saved is [".$this->getUserIp($this->getUserId($username, true))."]");
+      } else {
+        $this->log->LogInfo("$username requested password reset from [".$_SERVER['REMOTE_ADDR']."] saved is [".$this->getUserIp($this->getUserId($username, true))."]");
+      }
+    }
     if ($this->mail->sendMail('password/reset', $aData)) {
         return true;
       } else {
@@ -812,7 +899,10 @@ public function isAuthenticated($logout=true) {
     $this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR']
     ) return true;
     // Catchall
-    if ($logout == true) $this->logoutUser($_SERVER['REQUEST_URI']);
+    if ($this->config['logging']['enabled'] && $this->config['logging']['level'] > 0) {
+      $this->log->LogWarn("Forcing logout, user is locked or IP changed mid session from [".$_SERVER['REMOTE_ADDR']."]");
+    }
+    if ($logout == true) $this->logoutUser();
     return false;
   }
 
@@ -853,6 +943,7 @@ public function getCurrentIP($trustremote=true, $checkclient=false, $checkforwar
 // Make our class available automatically
 $user = new User();
 $user->setDebug($debug);
+$user->setLog($log);
 $user->setMysql($mysqli);
 $user->setSalt($config['SALT']);
 $user->setSmarty($smarty);

public/include/config/security.inc.dist.php

@@ -4,11 +4,21 @@
 /**
  * Misc
  *  Extra security settings
- *   
+ *
  **/
 $config['https_only'] = false;
 $config['mysql_filter'] = true;
 
+/**
+ * Logging
+ *  Log security issues - 0 = disabled, 2 = everything, 3 = warnings only
+ *   
+ */
+$config['logging']['enabled'] = true;
+$config['logging']['level'] = 3;
+$config['logging']['path'] = realpath(BASEPATH.'../logs');
+$config['logging']['file'] = date('Y-m-d').'.security.log';
+
 /**
  * Memcache Rate Limiting
  *  Rate limit requests using Memcache