Add login failures in the logs - to fit with fail2ban needs / avoid bruteforce

[lapineige]

Hello Wallabag's contributors :)

In order to protect wallabag with fail2ban (in our case for Yunohost, see YunoHost/apps#247 (comment)) it needs to read the failed access in the logs.
Is it possible to add such logging ?

This would seriously improve the login security of every wallabag user if fail2ban is present, as it greatly reduce bruteforce possibilities (by banning the IP during a certain time after some tries).

Thanks a lot :)

PS: (it obviously doesn't mean the password could be weaker in that case...)

[j0k3r]

That might be a good feature.
What information do you need on that log message?
Also, it might be interesting that you share the fail2ban config file once we'll add the logging feature.

[lapineige]

Well I don't know fail2ban configuration's details, but I can show you the regex used for yunohost:

# Option:  failregex                                                                                                                          
# Notes.:  regex to match the password failure messages in the logfile. The                                                                   
#          host must be matched by a group named "host". The tag "<HOST>" can                                                                 
#          be used for standard IP/hostname matching and is only an alias for                                                                 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = helpers.lua:[1-9]+: authenticate\(\): Connection failed for: .*, client: <HOST>
            ^<HOST> -.*\"POST /yunohost/api/login HTTP/1.1\" 401 22

As it's just a simple regex, I guess you could write anything you want as long as it's constant, easy to filter.
But maybe you could log the User-Agent too - and maybe the IP address is needed too ? (to ban a specific address)

PS : @maniackcrudelis please correct me if I'm wrong ;)

[j0k3r]

I can log whatever I want from a request in that log.
If you tell me you need the IP to be able to block that user using fail2ban, I'll put the IP.
Same for the user-agent, request time, cookies, etc.

Just give me a list 🙂

[lapineige]

I let @maniackcrudelis (and maybe @JimboJoe ?) decide here because my understanding of fail2ban is very limited.
But I would say at least the request time, and both User-Agent and IP can be useful (maybe for something else than fail2ban).
Yunohost (nginx in fact) log a list of connections to wallabag (but not the failed login) so we already have the IP/UA, but it easier to have everything at the same place, and I assume it might be useful for other wallabag users (and well, the log file wouldn't be so big ^^).

[maniackcrudelis]

Hi j0k3r :)

I'm not an expert either with fail2ban... But as I know, fail2ban works with a log and a regex.

I think you can try something like that:
A file in /etc/fail2ban/jail.d, to configure the jail

enabled = true
port    = http,https
filter  = wallabag-auth
logpath = /var/log/nginx*/*error.log
maxretry = 5

And a file name wallabag-auth.conf in /etc/fail2ban/filter.d (must be the same name than the previous filter parameter)

# Fail2Ban wallabag auth filter
#

[Definition]

failregex = ^<HOST> -.*GET /wallabag.*Something to match

It's just an idea, must be try.

[anmol26s]

I don't see failed logs. Do we have to enable logs for error somewhere in config file?

[JimboJoe]

I can see it in a YunoHost walabag2 instance in /var/www/wallabag2/var/logs/prod.log.

[ei-ke]

@j0k3r Maybe I should add a new issue, but I think it belongs to this: Could you also log fails for two factor auth logins? Might not add much security, but if it's not an hour long work for you I'd appreciate it.