Log file should [optionally] include IP addresses for failed login attempts #2824
Comments
|
Tbh, I don't see any issues with logging IP addresses of failed attempts by default without any additional settings. Regardless of how privacy-minded people use AG, this may be a security issue. Also, I guess it's time to have some protection against brute-force attacks: #2826 |
If the user mistypes their password, their IP would end up in the log files. I agree that it's probably overboard for the vast majority of people but there are definitely people who are, and have reason to be, that paranoid. |
|
Well, it's their own instance after all. |
|
I guess we could just write this info in the debug level log, and keep it simple in INFO. |
|
Something like the log level would probably work. I fully expected to see it when I turned verbose logging on. |
Updates #2824. Squashed commit of the following: commit 4457725 Author: Ainar Garipov <[email protected]> Date: Tue Apr 6 14:23:12 2021 +0300 home: imp docs, spacing commit 7392cba Author: Ainar Garipov <[email protected]> Date: Tue Apr 6 14:10:12 2021 +0300 home: print client ip after failed logins
|
Should be fixed on the edge channel as of snapshot 8746005. The message that is shown in the logs will look like: Can you please check if our solution fixes the issue for you? |
|
Sorry, I recently had a death in the family and won't be at my workstation for a week or two so I can't test it. The log line you posted looks perfect though. |
|
Our condolences to you and your family. I hope it's okay for me to close the issue for now. Please reopen if you find any issues with the implementation. |
|
This feature seems to have been removed with d317e19 Was this intentional? |
|
@de-es, we did not intend to remove any information form the log. Can you provide an example of a message that lacks information? |
|
I was hoping to get the ip address on a failed login attempt but it just states
It is working though for a successful attempt:
v0.108.0-b.26 |
Updates AdguardTeam#2824. Squashed commit of the following: commit 4457725 Author: Ainar Garipov <[email protected]> Date: Tue Apr 6 14:23:12 2021 +0300 home: imp docs, spacing commit 7392cba Author: Ainar Garipov <[email protected]> Date: Tue Apr 6 14:10:12 2021 +0300 home: print client ip after failed logins
Problem Description
There are currently no overall limits or rate limits for failed login attempts, allowing someone to attempt to brute-force attack the server. There are standard fixes for this issue, e.g. fail2ban, but they require a timestamp and IP address of failed login attempts to be logged to a file. Currently, we can set
log_filein AdguardHome.yaml to get most of this but even setting verbose to true does not give us the necessary IP address to ban.Proposed Solution
Obviously, there are a lot of privacy-minded people using Adguard Home solely on private networks and VPNs, so not everyone would want an IP address of any sort logged. The ideal solution would be to make it so you could only log IPs on failed login attempts. Since these sorts of solutions tend to be behind reverse proxies it would be really nice to be able to say which header (e.g. X-Client-IP, X-Real-IP) to log the IP from as well. This is extremely necessary for those of us running on a VPS who don't want to bring our dns down to expose ports every time we want to check the stats or make a filter change.
Alternatives Considered
Adguard Home could implement its own rate limiting and banning. This wouldn't have the benefit of banning from other things running on the same server and would require a lot more work for the developers as well as configuration for users.
Additional Information
Currently, the log lines look like this:
2021/03/16 07:59:47 1#204 [info] Auth: invalid user name or password: name="admin"The text was updated successfully, but these errors were encountered: