You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I tried to create a fail2ban rule to enable rate limiting for the authentication. Turns out, that some log information are missing. journalctl --grep=wayvnc returns Jan 20 17:09:53 raspberrypi wayvnc[1693]: pam_unix(wayvnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=pi.
The hostname or ip address where the authentication is coming from is empty, which makes it impractical to identify potential attackers.
Would it be possible to feed this information into the logs? It seems like it actually tries to fill in an IP address or hostname, since it fills the field rhost= with an additional whitespace. But a real source ip or hostname would be better.
I tried tricking fail2ban into not needing this information, but then its config fails to load and it complains about missing identification regex parameters like a source hostname or ip address field.
The text was updated successfully, but these errors were encountered:
I have nothing against adding an info-level log message about failed login attempts although you can use wayvncctl to get at this information as is.
Still, I'm not sure if fail2ban is such a good idea...
any1
changed the title
Fail2ban support needs hostname or ip address in log entries if authentication fails
Log failed authentication attempts
Feb 18, 2024
I tried to create a fail2ban rule to enable rate limiting for the authentication. Turns out, that some log information are missing.
journalctl --grep=wayvnc
returnsJan 20 17:09:53 raspberrypi wayvnc[1693]: pam_unix(wayvnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=pi
.The hostname or ip address where the authentication is coming from is empty, which makes it impractical to identify potential attackers.
Would it be possible to feed this information into the logs? It seems like it actually tries to fill in an IP address or hostname, since it fills the field
rhost=
with an additional whitespace. But a real source ip or hostname would be better.I tried tricking fail2ban into not needing this information, but then its config fails to load and it complains about missing identification regex parameters like a source hostname or ip address field.
The text was updated successfully, but these errors were encountered: