Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log remote address of failed login attempts #1814

Closed
AlphaJack opened this issue Jul 19, 2022 · 2 comments
Closed

Log remote address of failed login attempts #1814

AlphaJack opened this issue Jul 19, 2022 · 2 comments
Labels
enhancement

Comments

@AlphaJack
Copy link

Is your feature request related to a problem? Please describe.

Navidrome doesn't currently report the IP address of failed login requests via API.

This makes it harder to stop malicious actors:

Jul 19 21:08:41 HOST navidrome-server[772953]: time="2022-07-19T19:08:41Z" level=warning msg="API: Failed response" error=40 message="Wrong username or password" requestId=navidrome/dZT6Co9Qou-048426

Describe the solution you'd like

Something like

Jul 19 21:08:41 HOST navidrome-server[772953]: time="2022-07-19T19:08:41Z" level=warning msg="API: Failed response" error=40 message="Wrong username or password from 76.54.32.10" requestId=navidrome/dZT6Co9Qou-048426

would allow to track the number of failed login attempts (and other kind of warnings) for a certain IP address using fail2ban.

Of course the IP address in question should be the client remote address, not the reverse proxy one.
@deluan
Copy link
Member

deluan commented Jul 26, 2022

Good call! I will add the remoteAddr to the "Invalid Login" log line:

DEBU[0006] API: New request /rest/ping.view              client=myplayer requestId=MacDeluan16.local/qkgm7YYBiV-000001 username=admin version=1.9.0
WARN[0006] API: Invalid login                            error="invalid authentication" remoteAddr="127.0.0.1:54548" requestId=MacDeluan16.local/qkgm7YYBiV-000001 username=admin
WARN[0006] API: Failed response                          error=40 message="Wrong username or password" requestId=MacDeluan16.local/qkgm7YYBiV-000001
DEBU[0006] HTTP: GET http://localhost:4533/rest/ping.view?u=admin&p=[REDACTED]&v=1.9.0&f=json&c=myplayer  elapsedTime=2.4ms httpStatus=200 remoteAddr="127.0.0.1:54548" requestId=MacDeluan16.local/qkgm7YYBiV-000001 re

Of course the IP address in question should be the client remote address, not the reverse proxy one.

Navidrome uses chi's RealIP middleware to try to get the correct client IP. Keep in mind that this is not 100% bullet proof

@deluan deluan closed this as completed in 8cd405d Jul 26, 2022
@github-actions
Copy link

github-actions bot commented Mar 8, 2023

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deluan @AlphaJack