search

any1 / wayvnc

A VNC server for wlroots based Wayland compositors
ISC License
1.08k stars 68 forks source link

Log failed authentication attempts #288

Open cRoCx opened 8 months ago

cRoCx commented 8 months ago

I tried to create a fail2ban rule to enable rate limiting for the authentication. Turns out, that some log information are missing. journalctl --grep=wayvnc returns Jan 20 17:09:53 raspberrypi wayvnc[1693]: pam_unix(wayvnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=pi. The hostname or ip address where the authentication is coming from is empty, which makes it impractical to identify potential attackers. Would it be possible to feed this information into the logs? It seems like it actually tries to fill in an IP address or hostname, since it fills the field rhost= with an additional whitespace. But a real source ip or hostname would be better.

I tried tricking fail2ban into not needing this information, but then its config fails to load and it complains about missing identification regex parameters like a source hostname or ip address field.

any1 commented 7 months ago

I have nothing against adding an info-level log message about failed login attempts although you can use wayvncctl to get at this information as is.

Still, I'm not sure if fail2ban is such a good idea...

4k3or3et commented 1 month ago

I would also like to ask to add that feature. Blocking bruteforce/ddos attacks is crucial for me.

4k3or3et commented 1 month ago

I tried to create a fail2ban rule to enable rate limiting for the authentication. Turns out, that some log information are missing. journalctl --grep=wayvnc returns Jan 20 17:09:53 raspberrypi wayvnc[1693]: pam_unix(wayvnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=pi. The hostname or ip address where the authentication is coming from is empty, which makes it impractical to identify potential attackers. Would it be possible to feed this information into the logs? It seems like it actually tries to fill in an IP address or hostname, since it fills the field rhost= with an additional whitespace. But a real source ip or hostname would be better.

I tried tricking fail2ban into not needing this information, but then its config fails to load and it complains about missing identification regex parameters like a source hostname or ip address field.

Have you found by any chance any workaround how to setup fail2ban for wayvnc?

cRoCx commented 1 month ago

@4k3or3et No, I haven‘t found a proper workaround … yet.