We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Navidrome doesn't currently report the IP address of failed login requests via API.
This makes it harder to stop malicious actors:
Jul 19 21:08:41 HOST navidrome-server[772953]: time="2022-07-19T19:08:41Z" level=warning msg="API: Failed response" error=40 message="Wrong username or password" requestId=navidrome/dZT6Co9Qou-048426
Something like
Jul 19 21:08:41 HOST navidrome-server[772953]: time="2022-07-19T19:08:41Z" level=warning msg="API: Failed response" error=40 message="Wrong username or password from 76.54.32.10" requestId=navidrome/dZT6Co9Qou-048426
would allow to track the number of failed login attempts (and other kind of warnings) for a certain IP address using fail2ban.
Of course the IP address in question should be the client remote address, not the reverse proxy one.
The text was updated successfully, but these errors were encountered:
Good call! I will add the remoteAddr to the "Invalid Login" log line:
DEBU[0006] API: New request /rest/ping.view client=myplayer requestId=MacDeluan16.local/qkgm7YYBiV-000001 username=admin version=1.9.0 WARN[0006] API: Invalid login error="invalid authentication" remoteAddr="127.0.0.1:54548" requestId=MacDeluan16.local/qkgm7YYBiV-000001 username=admin WARN[0006] API: Failed response error=40 message="Wrong username or password" requestId=MacDeluan16.local/qkgm7YYBiV-000001 DEBU[0006] HTTP: GET http://localhost:4533/rest/ping.view?u=admin&p=[REDACTED]&v=1.9.0&f=json&c=myplayer elapsedTime=2.4ms httpStatus=200 remoteAddr="127.0.0.1:54548" requestId=MacDeluan16.local/qkgm7YYBiV-000001 re
Navidrome uses chi's RealIP middleware to try to get the correct client IP. Keep in mind that this is not 100% bullet proof
Sorry, something went wrong.
8cd405d
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
No branches or pull requests
Is your feature request related to a problem? Please describe.
Navidrome doesn't currently report the IP address of failed login requests via API.
This makes it harder to stop malicious actors:
Describe the solution you'd like
Something like
would allow to track the number of failed login attempts (and other kind of warnings) for a certain IP address using fail2ban.
Of course the IP address in question should be the client remote address, not the reverse proxy one.
The text was updated successfully, but these errors were encountered: