Log authentication attempts when PASSWORD environment variable is used
See original GitHub issueDescription
Background: It’s possible to enable password authentication to access the dashboard using the PASSWORD
environment variable. If you try to authenticate with the wrong password you will be met with an error message, but nothing related to the authentication attempt will be logged.
Suggestion: Have Homarr log authentication attempts when the PASSWORD
environment variable is used.
The log could be of similiar form as Sonarr, Radarr and Lidarr:
2022-11-14 15:00:00.0|Warn|Auth|Auth-Failure ip 123.123.123.123
To prevent log clutter or endlessly growing logs, one could use rotating logs or a daily cut-off point as in the case of the *arr apps. Logs older than a certain threshold could be culled with a simple cron job. For those with privacy concerns or certain threat models, logging could also be disabled with a boolean. In my mind, a docker compose with these features would look something like this:
...
- PASSWORD=SuperSecretPassword
- ENABLE_AUTH_LOG=true
- KEEP_AUTH_LOG=720h # 30 days, only necessary if ENABLE_AUTH_LOG=true
...
I believe this feature would help users become more aware of authentication attempts made against their dashboard. As an added benefit it would also allow for other services such as Fail2ban to act on failed authentication attempts.
While this feature can partly be achived already using Nginx’s Basic HTTP authentication, I see no reason it should not be native to Homarr as it can only ever add to user security.
Priority
Low (Nice-to-have)
Issue Analytics
- State:
- Created 10 months ago
- Comments:10 (4 by maintainers)
Top GitHub Comments
I know services like Gotify lets Docker handle the logging, it’s then still possible to “export” the logs using the entrypoint option. A docker compose file then has the following added to it:
So as long as it’s possible to somehow access the logs and write it to your own file, like with the entrypoint example above, there should be no need for a fully-blown log system.
I am not a Docker developer, so I can’t help further with how that would look like.
Ok I understand your comment on the pr better @manuel-rw . I’ll fix it