When processing secpass login, failed logins are not recorded

[jnorell]

I would like to have fail2ban monitor login failures and block clients after a threshold.

Currently I find only successful logins are logged, not failed logins, so the first part of the rfe is to log all login failures. (Note if you have Account Locking enabled, then login failures for valid accounts are logged - not helpful for catching most brute force attempts.) If setting debug level logging you do see the username of invalid login attempts as well, but this doesn't work for fail2ban, as it does not log the actual failure, the debug level log is the attempt whether successful or not. (And it seems login failures should always be logged, not as a 'debugging' level message.)

The other part needed is to include the ip address of the client in the log message, so fail2ban can match and block the client.

[cigamit]

Audited the login code and found that secpass did not log login subsequent attempts after the account was locked out.

[cigamit]

This is resolved now.

[jnorell]

I'm glad you found and fixed a related issue in the logging, but this was intended to be a request for enhancement, not a bug report, and it certainly does not address the issue I was requesting. Please re-read the request and consider reopening.

[netniV]

Rather that suggesting to simply re-read, it may be more efficient to point to the part that you actually want implementing that seems to have been missed. I'm reading between the lines and I think you are saying that if there is an attempt to login with an account that does not exist, that is not logged?

[netniV]

Also, if you actually used the github templates that are provided for creating new issues, you would have filled in the enhancement template, which would have made it obvious it was an enhancement request, not just a bug report which the majority of posts are.

[cigamit]

I believe he is wanting the IP address in the log also. We would have to attempt to determine exactly what the IP is though, in case the Cacti server is sitting behind a proxy or Cloudflare.