wayvnc icon indicating copy to clipboard operation
wayvnc copied to clipboard
verified publisher icon any1

Log failed authentication attempts

Open cRoCx opened this issue 1 year ago • 4 comments

I tried to create a fail2ban rule to enable rate limiting for the authentication. Turns out, that some log information are missing. journalctl --grep=wayvnc returns Jan 20 17:09:53 raspberrypi wayvnc[1693]: pam_unix(wayvnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=pi. The hostname or ip address where the authentication is coming from is empty, which makes it impractical to identify potential attackers. Would it be possible to feed this information into the logs? It seems like it actually tries to fill in an IP address or hostname, since it fills the field rhost= with an additional whitespace. But a real source ip or hostname would be better.

I tried tricking fail2ban into not needing this information, but then its config fails to load and it complains about missing identification regex parameters like a source hostname or ip address field.

cRoCx avatar Jan 20 '24 21:01 cRoCx

I have nothing against adding an info-level log message about failed login attempts although you can use wayvncctl to get at this information as is.

Still, I'm not sure if fail2ban is such a good idea...

any1 avatar Feb 18 '24 19:02 any1

I would also like to ask to add that feature. Blocking bruteforce/ddos attacks is crucial for me.

4k3or3et avatar Aug 22 '24 21:08 4k3or3et

I tried to create a fail2ban rule to enable rate limiting for the authentication. Turns out, that some log information are missing. journalctl --grep=wayvnc returns Jan 20 17:09:53 raspberrypi wayvnc[1693]: pam_unix(wayvnc:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost= user=pi. The hostname or ip address where the authentication is coming from is empty, which makes it impractical to identify potential attackers. Would it be possible to feed this information into the logs? It seems like it actually tries to fill in an IP address or hostname, since it fills the field rhost= with an additional whitespace. But a real source ip or hostname would be better.

I tried tricking fail2ban into not needing this information, but then its config fails to load and it complains about missing identification regex parameters like a source hostname or ip address field.

Have you found by any chance any workaround how to setup fail2ban for wayvnc?

4k3or3et avatar Aug 22 '24 21:08 4k3or3et