Fork me on GitHub
Subscribe 2

Ticket #1118 (open enhancement)

Login errors should be written to the server error log

  • Created: 2018-07-17 12:26:29
  • Reported by: Visman
  • Assigned to: nsuchy
  • Milestone: None
  • Component: security
  • Priority: normal

For Fail2ban or another log analysis program.
Fight against brute force of search of passwords.

History

nsuchy 2018-07-17 21:53:08

Hi Visman,

Identifying people spamming the login system is definently useful although I think this type of more in-depth logging would be better served as a plugin and goes outside the core goals of FluxBB.

Additionally should should be able to write a fail2ban module to monitor nginx or apache's "access.log" files for POST Requests against login.php and then ban the IP Addresses making too many POST Requests to login.php.

Cheers,
Nathaniel

nsuchy 2018-07-17 21:53:31

  • Owner set to nsuchy.

Visman 2018-07-18 05:02:37

Additionally should should be able to write a fail2ban module to monitor nginx or apache's "access.log" files for POST Requests against login.php and then ban the IP Addresses making too many POST Requests to login.php.

It would be nice to return the response status of 403, not 200, as it is now with an incorrect login.