Log failed authentication attempts #288
Labels
enhancement
New feature or request
Comments
|
I have nothing against adding an info-level log message about failed login attempts although you can use Still, I'm not sure if fail2ban is such a good idea... |
any1
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I tried to create a fail2ban rule to enable rate limiting for the authentication. Turns out, that some log information are missing.
journalctl --grep=wayvncreturnsJan 20 17:09:53 raspberrypi wayvnc[1693]: pam_unix(wayvnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=pi.The hostname or ip address where the authentication is coming from is empty, which makes it impractical to identify potential attackers.
Would it be possible to feed this information into the logs? It seems like it actually tries to fill in an IP address or hostname, since it fills the field
rhost=with an additional whitespace. But a real source ip or hostname would be better.I tried tricking fail2ban into not needing this information, but then its config fails to load and it complains about missing identification regex parameters like a source hostname or ip address field.
The text was updated successfully, but these errors were encountered: