Log file should [optionally] include IP addresses for failed login attempts

[Aesir]

• I am running the latest version - Version: v0.105.2
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Problem Description

There are currently no overall limits or rate limits for failed login attempts, allowing someone to attempt to brute-force attack the server. There are standard fixes for this issue, e.g. fail2ban, but they require a timestamp and IP address of failed login attempts to be logged to a file. Currently, we can set log_file in AdguardHome.yaml to get most of this but even setting verbose to true does not give us the necessary IP address to ban.

Proposed Solution

Obviously, there are a lot of privacy-minded people using Adguard Home solely on private networks and VPNs, so not everyone would want an IP address of any sort logged. The ideal solution would be to make it so you could only log IPs on failed login attempts. Since these sorts of solutions tend to be behind reverse proxies it would be really nice to be able to say which header (e.g. X-Client-IP, X-Real-IP) to log the IP from as well. This is extremely necessary for those of us running on a VPS who don't want to bring our dns down to expose ports every time we want to check the stats or make a filter change.

Alternatives Considered

Adguard Home could implement its own rate limiting and banning. This wouldn't have the benefit of banning from other things running on the same server and would require a lot more work for the developers as well as configuration for users.

Additional Information

Currently, the log lines look like this:
2021/03/16 07:59:47 1#204 [info] Auth: invalid user name or password: name="admin"

[ameshkov]

Tbh, I don't see any issues with logging IP addresses of failed attempts by default without any additional settings. Regardless of how privacy-minded people use AG, this may be a security issue.

Also, I guess it's time to have some protection against brute-force attacks: #2826

[Aesir]

Tbh, I don't see any issues with logging IP addresses of failed attempts by default without any additional settings. Regardless of how privacy-minded people use AG, this may be a security issue.

If the user mistypes their password, their IP would end up in the log files. I agree that it's probably overboard for the vast majority of people but there are definitely people who are, and have reason to be, that paranoid.

[ameshkov]

Well, it's their own instance after all.

[ameshkov]

I guess we could just write this info in the debug level log, and keep it simple in INFO.

[Aesir]

Something like the log level would probably work. I fully expected to see it when I turned verbose logging on.

[ainar-g]

Should be fixed on the edge channel as of snapshot 8746005. The message that is shown in the logs will look like:

2021/04/06 12:00:00 144103#134 [info] auth: failed to login user "john.doe" from ip "192.168.12.34"

Can you please check if our solution fixes the issue for you?

[Aesir]

Sorry, I recently had a death in the family and won't be at my workstation for a week or two so I can't test it. The log line you posted looks perfect though.

[ainar-g]

Our condolences to you and your family.

I hope it's okay for me to close the issue for now. Please reopen if you find any issues with the implementation.