feat(authentication): enhance logging and integrate Fail2Ban configuration (#187)

README.md

@@ -190,6 +190,64 @@ Restart=on-failure
 WantedBy=multi-user.target
 ```
 
+## Fail2Ban Setup
+
+To add security against brute-force attacks in your WebDAV server, you can configure Fail2Ban to ban IP addresses after a set number of failed login attempts.
+
+### Filter Configuration
+
+Create a new filter rule under `filter.d/webdav.conf`:
+
+```ini
+[INCLUDES]
+before = common.conf
+
+[Definition]
+# Failregex to match "invalid password" and extract remote_address only
+failregex = ^.*invalid password\s*\{.*"remote_address":\s*"<HOST>"\s*\}
+
+# Failregex to match "invalid username" and extract remote_address only (if applicable)
+failregex += ^.*invalid username\s*\{.*"remote_address":\s*"<HOST>"\s*\}
+
+ignoreregex =
+```
+
+This configuration will capture invalid login attempts and extract the IP address to ban.
+
+### Jail Configuration
+
+In `jail.d/webdav.conf`, define the jail that monitors your WebDAV log for failed login attempts:
+
+```ini
+[webdav]
+
+enabled = true
+port = [your_port]
+filter = webdav
+logpath = [your_log_path]
+banaction = iptables-allports
+ignoreself = false
+```
+
+- Replace `[your_port]` with the port your WebDAV server is running on.
+- Replace `[your_log_path]` with the path to your WebDAV log file.
+
+### Final Steps
+
+1. Restart Fail2Ban to apply these configurations:
+
+ ```bash
+ sudo systemctl restart fail2ban
+ ```
+
+2. Verify that Fail2Ban is running and monitoring your WebDAV logs:
+
+ ```bash
+ sudo fail2ban-client status webdav
+ ```
+
+With this setup, Fail2Ban will automatically block IP addresses that exceed the allowed number of failed login attempts.
+
 ## Contributing
 
 Feel free to open an issue or a pull request.

lib/handler.go

@@ -84,27 +84,33 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  if len(h.users) > 0 {
  w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 
+ // Retrieve the real client IP address using the updated helper function
+ remoteAddr := getRealRemoteIP(r)
+
  // Gets the correct user for this request.
  username, password, ok := r.BasicAuth()
- zap.L().Info("login attempt", zap.String("username", username), zap.String("remote_address", r.RemoteAddr))
  if !ok {
  http.Error(w, "Not authorized", http.StatusUnauthorized)
  return
  }
 
  user, ok = h.users[username]
  if !ok {
+ // Log invalid username
+ zap.L().Info("invalid username", zap.String("username", username), zap.String("remote_address", remoteAddr))
  http.Error(w, "Not authorized", http.StatusUnauthorized)
  return
  }
 
  if !h.noPassword && !user.checkPassword(password) {
- zap.L().Info("invalid password", zap.String("username", username), zap.String("remote_address", r.RemoteAddr))
+ // Log invalid password
+ zap.L().Info("invalid password", zap.String("username", username), zap.String("remote_address", remoteAddr))
  http.Error(w, "Not authorized", http.StatusUnauthorized)
  return
  }
 
- zap.L().Info("user authorized", zap.String("username", username))
+ // Log successful authorization
+ zap.L().Info("user authorized", zap.String("username", username), zap.String("remote_address", remoteAddr))
  }
 
  // Cleanup destination header if it's present by stripping out the prefix
@@ -159,6 +165,15 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  user.ServeHTTP(w, r)
 }
 
+// getRealRemoteIP retrieves the client's actual IP address, considering reverse proxies.
+func getRealRemoteIP(r *http.Request) string {
+ ip := r.Header.Get("X-Forwarded-For")
+ if ip == "" {
+ ip = r.RemoteAddr
+ }
+ return ip
+}
+
 type responseWriterNoBody struct {
  http.ResponseWriter
 }