[2.0.4][fail2ban] No entry in apache2 logfile when authentification failure on user login

[apos]

Issue details

When using wallabag 1.9.x I secured my installation with fail2ban which worked fine for me using the apache error log. Users, that logged in left an "authentication failure" in the logfile used by fail2ban.

Now, after upgrade to wallabag 2.0.4 (new installation), both when a not registered user or an existing user with a wrong password try to log in, no error message appears in the apache2 log file

Environment

• wallabag version (or git revision) that exhibits the issue: 2.0.4.
• How did you install wallabag? : git clone
• Last wallabag version that did not exhibit the issue (if applicable): 2.0.4
• php version: PHP 5.5.9-1ubuntu4.17
• Webserver: apache 2.4
• OS: Ubuntu server - Ubuntu 14.04.4 LTS
• type of hosting (shared or dedicated): KVM vserver
• which storage system you choose at install: MySQL

Steps to reproduce/test case

1. Install wallabag 2.0.4
2. Create virtual host file like this:

<VirtualHost *:80>

        ServerName mywallagbag.mydomain.tld
        ServerAlias www.mywallagbag.mydomain.tld
        DocumentRoot /srv/www/mywallagbag.mydomain.tld/web

        ErrorLog /var/log/apache2/mywallagbag.mydomain.tld-error.log
        CustomLog /var/log/apache2/mywallagbag.mydomain.tld-access.log combined

        <Directory "/srv/www/mywallagbag.mydomain.tld/web">

                    # apache 2.4
            DirectoryIndex app.php
            AllowOverride All
            Require all granted

            <IfModule mod_rewrite.c>
                Options -MultiViews
                RewriteEngine On
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteRule ^(.*)$ app.php [QSA,L]
            </IfModule>

        </Directory>

        <Directory "/srv/www/mywallagbag.mydomain.tld/web/bundles">
            <IfModule mod_rewrite.c>
                RewriteEngine Off
            </IfModule>
        </Directory>

</VirtualHost>

1. Monitor the apache log file:

tail -f /var/log/apache2/mywallagbag.mydomain.tld-error.log

1. Open your browser and login with the webinterface and an unknown user and password or login with a known user and wrong password
2. In the logfile does not appear any error message about the authentication failure.

[j0k3r]

Give a try by looking inside /srv/www/mywallagbag.mydomain.tld/var/logs/prod.log but I don't think we log failed authentication.

[apos]

Thanks j0k3r,

nope, does not give any auth failures in the given logfile ...
... so obviously you don't log failed authentification (in 2.x), but I could (as in 1.9.x) in the apache2 logfiles. ;-)

I used this for fail2ban, which worked, but now the apache2 logfile is empty on authentification errors ;-(

Just for completeness: here's my fail2ban [1] config for the former 1.9.x setup, which monitors the apache error log:

cat /etc/fail2ban/filter.d/apache-wallabag.conf 
# http://www.sublimigeek.fr/fail2ban-securiser-instance-wallabag
# .* \[error\] \[client <HOST>\] user .* authentication failure, referer:

[Definition]
failregex = .* \[:error\] \[pid \d*\] \[client <HOST>:\d*] user .* authentication failure, referer: https:\/\/mywallabag\.mydomain\.tld\/
ignoreregex =

cat /etc/fail2ban/jail.d/apache-wallabag.conf 
# Wallabag filter
[apache-wallabag]
enabled = true
port    = http,https
filter  = apache-wallabag
logpath = /var/log/apache2/mywallabag-mydomain-tld-error.log
maxretry =

[1] https://wiki.blue-it.org/Wallabag#Fail2ban

[j0k3r]

Could be an improvment, but I've no idea if we can do it. We'll see.

[j0k3r]

Duplicate #3183
It'll be available in the 2.3.0 release.

[JialuZhang]

@apos

In your configuration,

        <Directory "/srv/www/mywallagbag.mydomain.tld/web/bundles">
            <IfModule mod_rewrite.c>
                RewriteEngine Off
            </IfModule>
        </Directory>

the line "RewriteEngine Off“ is a silent misconfiguration. This means adding it to your system will not change any system behavior.
"RewriteEngine Off" is introduced by Apache to explicitly disable all "RewriteRule" and "RewriteCond".
That is to say, if you include multiple "RewriteRule" and "RewriteCond" parameters in your configuration, then instead of commenting them all, you can explicitly set “RewriteEngine Off” to disable all "RewriteRule".
More importantly, the default value of “RewriteEngine" is already an "off", so adding “RewriteEngine off" is quite unnecessary and it may cause confusion to users.
Since herein there is no "RewriteRule" in this directory, deleting “RewriteEngine Off” would be ideal.
Related Apache source code snippet:

run_rewritemap_programs(server_rec *s , apr_pool_t *p){
if (conf->state == ENGINE_DISABLED) { // usage of "RewriteEngine"
  return APR_SUCCESS; // early return
rewritemap_program(...); // usage of "RewriteRule" 
}