Logging

[phonicmouse]

Is there any way to log login attempts? I'm running a public instance of your software and i'm a paranoid about security. P.

[noraj]

Hello @phonicmouse.

For systemd

My server is running archlinux, and as explained here I configured flood to run as a system service. So I can use journalctl log tool of systemd to check the logs of flood: sudo journalctl -u flood.

For testing purpose you can launch sudo journalctl -u flood -f to monitor flood in real time. Then on your browser launch the flood authentication form. If you log in with wrong credential you will see something like this in your logs:

Nov 11 12:02:27 host npm[1737]: POST /auth/authenticate 401 7.138 ms - 27

And now if you log in with good credentials:

Nov 11 12:02:44 rawsec npm[1737]: POST /auth/authenticate 200 835.136 ms - 184

So the difference is about catching the http 401 or 200 return code.

If you didn't use a systemd service you won't be able to use -u of journalctl but you still can use the PID of flood process for example journalctl _PID=8088 or if you use a flood user you can know his UID with id -u flood and then use the UID with journalctl _UID=33 for example.

You can of course see how systemd works to find time and date filters.

To find the failed login attempts you may use --no-pager option to redirect journalctl output to stdout:

$ sudo journalctl -u flood --no-pager | grep "POST /auth/authenticate 401"
Apr 17 10:42:23 host npm[30058]: POST /auth/authenticate 401 974.704 ms - 48
Nov 11 12:02:27 host npm[1737]: POST /auth/authenticate 401 7.138 ms - 27
Nov 11 12:14:46 host npm[1737]: POST /auth/authenticate 401 7.203 ms - 27

Or you can even use -o json to export the ouput as JSON if you have an app to monitor that.

A great start is How To Use Journalctl to View and Manipulate Systemd Logs and of course the man page.

For other systems

I don't know sorry.

In general

Anyway it would be great for flood to support some options in the config file like

access_log: '/var/log/flood/access.log',
error_log: '/var/log/flood/error.log',
general_log: '/var/log/flood/general.log',

in order to log events in some chosen separate files instead of letting the system handle it. And it would be great to also have security event instead on relaying on the http server logs.

Update: also see #498 for logging level. And in general it's not only about logging login attempts but to have a decent logging system. @jfurrow Let's see 4 Node.js Logging libraries which make sophisticated logging simpler.

[0xcaff]

If you are worried about security, don't just monitor login attempts. Protect the application server with a reverse proxy using something like client certificates. Here's a guide.

[phonicmouse]

@noraj1337 I'm a really stupid man, i already did that when i installed and i just forgot that there must have been some kind of request log... @0xcaff I would really prefer to not do that, i access my flood installation from a series of different computers and ips since i travel a lot and I use most of times computers that are not mine. Anyway what i was looking for was an ip access log, so i can write a fail2ban rule to block ips after a number of failed logins. That would be really awesome. If i find time i can do it by myself and then create a pull request. In the meanwhile thanks for the help of you both.

[noraj]

@phonicmouse We won't add fail2ban in flood. That's not the job of flood.

[phonicmouse]

@noraj1337 i explained badly. I just want to use fail2ban on my server. What I want to add is the request ip in flood log, so I can write a rule for fail2ban to look for repeated 401 response to the same address and then ban that address.

Anyway, thank you all for help, I think my problem has been solved. I'm closing the issue.

[noraj]

@phonicmouse My bad.