Capturing failed logins when using adauth

Last Updated on November 30, 2019 by Christopher G Mendla

I use the adauth gem to provide authentication through Active Directory for Rails applications. I wanted to give the apps the ability to store failed logins. In other words, if someone tries to log onto an app and their login fails, the IP and login name used will be written to a file.

The first thing I needed was to create a ‘failed_logins’ model with 2 fields: ip and login. The created_at date will log the time the event occurred.

Then I needed to modify  def create in the sessions controller with 2 lines.

def create
ldap_user
ldap_user = Adauth.authenticate(params[:username], params[:password])
if ldap_user
user = User.return_and_create_from_adauth(ldap_user)
session[:user_id] = user.id
redirect_to root_path
else
#     If there is a failed login attempt, get the user’s IP and the user name they tried.
#  This will help us discover any attacks from outside the firewall.
#  Date and time created will automatically be logged with created_at
ip = request.remote_ip
failed_login = FailedLogin.create(ip: ip, login:  params[:username])

redirect_to signin_path, :error => “Invalid Login”
end
endif ldap_user
user
        user = User.return_and_create_from_adauth(ldap_user)        session[:user_id] = user.id        redirect_to root_path  else

      #     If there is a failed login attempt, get the user’s IP and the user name they tried.
#  This will help us discover any attacks from outside the firewall.
#  Date and time created will automatically be logged with created_at
ip
      #  This will help us discover any attacks from outside the firewall.      #  Date and time created will automatically be logged with created_at       ip = request.remote_ip
failed_login = FailedLogin.create(ip: ip, login:  params[:username])      failed_login = FailedLogin.create(ip: ip, login:  params[:username])
      redirect_to signin_path, :error => “Invalid Login”
end
end    end
endend

The first line grabs the ip of the user, the second line writes the IP and login to the table.

I’m not going to set up any automated notifications for now. Later, on, i can build a simple routine to scan all of the failed login logs and look for any unusual activity. With this simple tool in place, I can regularly check to see if there are any hacking attempts.