Count based Blacklisting and Brute-Force Attacks

Nvandendries

I am looking for a way to blacklist users based on incorrect login.
For example, if you use an incorrect username/password combination 5 times, the username will be blacklisted.

I would also like to see incorrect login attempts be logged in a log file so that I can set fail2ban against Brute-Force attacks.

CyberGene

Doesn’t that mean that anybody can block my username intentionally?

Nvandendries

CyberGene
I think the chance is quite small that someone else:

Guess your username.
That someone will deliberately block your username.

On the other hand, it will be nice to unblock by means of a password reset via email.

Gorm

Nvandendries yep. But attacker can change ip and proceed with bruteforce. So, fail2ban is not solution.

Real temporary user suspending (without entrance possibility) on try/login ratio will be much more effective. Maybe progressive suspending.

CyberGene Doesn’t that mean that anybody can block my username intentionally?

🙂

I can advice you to look into 2FA extension: https://discuss.flarum.org/d/32564-2fa-extension
its also can be a part of solution.

clarkwinkelmann

Do you have any example how a typical login attempt log file might be formatted to be used with fail2ban? It should be pretty easy to implement, but I'm not familiar with fail2ban configuration.

Nvandendries

clarkwinkelmann
I'll have to find out because I'm not 100% sure.
But if there were a log for failed login attempts, that would be nice.

Edit: i found this article about Fail2Ban and the formatting:
https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server#examining-the-filter-file

Gorm

clarkwinkelmann fail2ban will ban ip. Not user account.

But here is second one issue: if user account blocked.... It still available to enter for user 🙂 And still available for bruteforce. I dont know why, but banned users in Flarum still can enter, reading... It's just "read only" mode. They can see personal messages and all acessible early tags. Also, users can reset their password in banned state 🙂 Also banned users in Flarum its more similiar to suspended. They are see the date when they are will be unsuspended (in the far far future.. after 5K days).

Nvandendries

Gorm
Fail2ban should counteract brute-force by indeed banning IP. When an IP ban is in place, the server on which Flarum is installed will not use resources if a brute force occurs and it will remain accessible to other users.

User ban (account based) should actually not make it possible to give access to the entire forum, so it is not possible to log in. Only after x amount of time and, for example, password reset would access be gained again

Nvandendries

Gorm
2FA is already installed.
The chance that a brute force attacker will change their IP address and try again on 1 domain is very small, especially if they have already been blocked with 1 IP. Brute Force is also often done automatically, in which case the attack will no longer work and the server where Flarum is on will no longer be affected. So I believe that fail2ban does work.

the point is that it's not even about fail2ban, as I already indicated it would be nice if the false login attempts were logged in every case

Umutcan

Nvandendries Instead of Fail2Ban, wouldn't it be better to apply a rate limit specific to the user IP address on the Flarum login screen?

rapty88

Is there anyone who has managed to write failed logins to syslog (or to any other log file)?

rapty88

Fail2ban has the advantage of being able to integrate with MaxMind GeoIP, allowing for countries to be whitelisted.

Rate limiting can be implemented at the web server level:
https://discuss.flarum.org/d/27713-flarum-account-security/