Auth failure tracking and management

Need help with the Administration of your Joomla! 3.x site? This is the spot for you.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
phlunk3
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Mon Jul 08, 2019 10:09 pm

Auth failure tracking and management

Post by phlunk3 » Mon Jul 08, 2019 10:14 pm

Hi all

I use fail2ban to ban users from my server when they have received too many 401 error messages.

With Joomla! no 401 is shown to a user when they fail to authenticate, so this clearly does not work for me.

I looked at the logs/error.php file and found that although login failures are recorded, because I use a reverse proxy my proxy's ip is recorded rather than the visitors.

Can anyone tell me:
- Can we enable 401 errors for auth failure somewhere?
- Can I set the variable to be used for the clients IP somewhere? For example setting a header such as X-Forwarded-For?

Also happy to hear of other alternative methods people are using to ban users who attempt to brute force access your sites either in the frontend or the backend.

Thanks

User avatar
AMurray
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4869
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Auth failure tracking and management

Post by AMurray » Thu Jul 11, 2019 8:43 am

For brute-force potection there are many options but one that springs to mind is Akeeba Admin tools but reviewing these -- https://extensions.joomla.org/tags/site-security/ -- may be of help.

Since Joomla authenticates users in its database, it may have its own record of 'failed' logins, not the Apache log file.
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

phlunk3
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Mon Jul 08, 2019 10:09 pm

Re: Auth failure tracking and management

Post by phlunk3 » Thu Jul 11, 2019 9:40 am

Thanks AMurray

Yes Joomla! stores auth failures in the logs/error.php

I could write rules to work with this file, however currently it records the proxy's ip rather than the clients.

I have set X-Forwarded-For headers but this seems not the solution, was hoping someone would be able to tell me what I need to do here to avoid reading through the code.

I will take a look tomorrow towards this path and hopefully report back here with a solution.

phlunk3
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Mon Jul 08, 2019 10:09 pm

Re: Auth failure tracking and management

Post by phlunk3 » Thu Jul 11, 2019 9:48 am

And it took two minutes to find once I looked at this: ./libraries/src/Log/Logger/FormattedtextLogger.php

protected function formatLine(LogEntry $entry)
{
// Set some default field values if not already set.
if (!isset($entry->clientIP))
{
// Check for proxies as well.
if (isset($_SERVER['REMOTE_ADDR']))
{
$entry->clientIP = $_SERVER['REMOTE_ADDR'];
}
elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$entry->clientIP = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
elseif (isset($_SERVER['HTTP_CLIENT_IP']))
{
$entry->clientIP = $_SERVER['HTTP_CLIENT_IP'];
}
}

I will look at our proxy container and see if we can strip the REMOTE_ADDR variable to resolve this.


Post Reply

Return to “Administration Joomla! 3.x”