Opened 8 years ago

Closed 7 years ago

#5460 closed enhancement (fixed)

Log IP address when a user enters a wrong password

Reported by: Elinvention Owned by:
Priority: minor Milestone: 0.10.0
Component: programming Keywords: logging, small
Cc: Parent Tickets:

Description

If I try to login with a wrong password, this message is logged:

WARNING:mediagoblin.auth.tools:Wrong password for u'elinvention'

I'd like to set up fail2ban for Mediagoblin, but without IP address I can't do much...

A message like this would be better:

WARNING:mediagoblin.auth.tools:Wrong password for u'elinvention' from xxx.xxx.xxx.xxx

Attachments (1)

0001-Fix-5460-Log-IP-address-for-failed-login.patch (1.3 KB ) - added by ayleph 7 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 by Ben Sturmfels, 8 years ago

Keywords: small added
Priority: trivialminor

comment:2 by ShawnRisk, 7 years ago

Milestone: 1.00.10.0

comment:3 by ayleph, 7 years ago

We can pull the address out of the request, but we don't pass the request down to the function that checks the login. I don't know that it makes sense to modify the arguments to that function, so here's an alternative. If the login check fails, we log the IP address back up in mediagoblin.auth.views where we do have access to the request. It results in log entries like this.

2017-08-15 02:06:02,044 WARNING [mediagoblin.auth.tools] Wrong password for u'admin'
2017-08-15 02:06:02,045 WARNING [mediagoblin.auth.views] Failed login attempt from 'xxx.xxx.xxx.xxx'
2017-08-15 02:06:16,700 INFO    [mediagoblin.auth.tools] User u'cats' not found
2017-08-15 02:06:16,708 WARNING [mediagoblin.auth.views] Failed login attempt from 'xxx.xxx.xxx.xxx'

I'll upload the patch that enables this.

comment:4 by ayleph, 7 years ago

Status: newreview

comment:5 by ayleph, 7 years ago

Resolution: fixed
Status: reviewclosed

Pushed in b121d89.

Note: See TracTickets for help on using tickets.