I was hoping Discourse could log invalid login attempts to file, even if it is something you have to configure to do so. Then I could create a custom filter and jail for discourse
I use a centralized fail2ban server. the way it works is all my Containers, Docker images, VMs have a custom ban action:
in fail2ban you specify the action to take in your jail, such as: action = iptables-allports
then all you have to do is edit that action: sudo nano /etc/fail2ban/action.d/iptables-allports.conf
With this setup your container/docker/vm will fail2ban them locally, but it will also relay this information to your central fail2ban server. The central server can also take all collected IPs and make them available as txt banlist such as: https://fail2ban.YourDomain.com/banned.txt
Then you can have your pfsense firewall subscribe to this banlist, and you can even share the list with other pfsense routers. This way if they try breaking in on one application, they get banned from everything. This has worked great for me for years.
And all that I need to implement this for discourse is for discourse to write an entry to a log file when there is an invalid login attempt
The NGINX logs
Occasionally NGINX logs may contain some extra tips, they are located at:
cd /var/discourse
./launcher enter app
cd /var/log/nginx
The files access.log and error.log will be there as well as a bunch of rotated compressed files. Running less access.log.2.gz will automatically decompress and display the logfile for you.
This directory is also available on the host at /var/discourse/shared/standalone/log/var-log/nginx .
Unfortunately, the nginx error.log and access.log files do not log any invalid login attempts.
Hello @Falco thanks for the reply. I promptly checked the logs just now, a correct password attempt and incorrect password attempt look the same to me (200 response):
(I sanitized the IP address and domain, the rest is untouched)
Twitter uses 400 for wrong password, but Facebook, LinkedIn, Google and Amazon returns a 200. IMO a 200 sounds wrong, but it appears to be the “normal” thing?
Maybe you can start with a plugin that hooks into this method here
awesome, thanks for the reply! soon as I get a little bit of downtime I will try making a plugin to generate this info! ( all I need is the ip address logged to a file when somebody tries logging in with an incorrect password eg: invalid login attempt from IP 10.111.222.33 )
I’m writing on the roles of selfmade webmaster and pure end user, but…
Invalid login is error 200 by definition. Sure, it can and should be internal error of an app, and at some point generate something else, like error 403 plus something else like sending recovering link, but it shouldn’t or can’t happend right away.
Fail2ban is a nice tool but really overrated. Let’s forget docker, because it makes everything harder, but just the fact it can bypass iptables of VPS is really haze thing for me. But bots have tendency change IP after every 3rd attempt and that makes Fail2ban quite toothless against pure brute attack via login.
Script kiddies are another story, of course. Thay copy&paste everything they find, give a spin and don’t play with IPs. Then Fail2ban can stop them, even they can rarely do anything harm, but increasing load. The real issue is amount of script kiddies when there is instant flood.
But as long as VPS can handle such situation it just doesn’t matter. Now is 2023 and mostly those a-holes are knocking ancient vulnerabilites of wordpress on discourse-site
But we should have some logic to stop constant logins, no matter it is not an everyday threat, I reckon.