Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log failed authentication attempts #288

Open
cRoCx opened this issue Jan 20, 2024 · 4 comments
Open

Log failed authentication attempts #288

cRoCx opened this issue Jan 20, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@cRoCx
Copy link

cRoCx commented Jan 20, 2024

I tried to create a fail2ban rule to enable rate limiting for the authentication. Turns out, that some log information are missing.
journalctl --grep=wayvnc returns Jan 20 17:09:53 raspberrypi wayvnc[1693]: pam_unix(wayvnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=pi.
The hostname or ip address where the authentication is coming from is empty, which makes it impractical to identify potential attackers.
Would it be possible to feed this information into the logs? It seems like it actually tries to fill in an IP address or hostname, since it fills the field rhost= with an additional whitespace. But a real source ip or hostname would be better.

I tried tricking fail2ban into not needing this information, but then its config fails to load and it complains about missing identification regex parameters like a source hostname or ip address field.
@cRoCx cRoCx added the enhancement New feature or request label Jan 20, 2024
@any1
Copy link
Owner

any1 commented Feb 18, 2024

I have nothing against adding an info-level log message about failed login attempts although you can use wayvncctl to get at this information as is.

Still, I'm not sure if fail2ban is such a good idea...

@any1 any1 changed the title Fail2ban support needs hostname or ip address in log entries if authentication fails Log failed authentication attempts Feb 18, 2024
@4k3or3et
Copy link

I would also like to ask to add that feature. Blocking bruteforce/ddos attacks is crucial for me.

@4k3or3et
Copy link

I tried to create a fail2ban rule to enable rate limiting for the authentication. Turns out, that some log information are missing. journalctl --grep=wayvnc returns Jan 20 17:09:53 raspberrypi wayvnc[1693]: pam_unix(wayvnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=pi. The hostname or ip address where the authentication is coming from is empty, which makes it impractical to identify potential attackers. Would it be possible to feed this information into the logs? It seems like it actually tries to fill in an IP address or hostname, since it fills the field rhost= with an additional whitespace. But a real source ip or hostname would be better.

I tried tricking fail2ban into not needing this information, but then its config fails to load and it complains about missing identification regex parameters like a source hostname or ip address field.

Have you found by any chance any workaround how to setup fail2ban for wayvnc?

@cRoCx
Copy link
Author

cRoCx commented Aug 22, 2024

@4k3or3et No, I haven‘t found a proper workaround … yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@any1 @cRoCx @4k3or3et