[SERVER-16452] Failed login attempts should log source IP address Created: 08/Dec/14  Updated: 06/Jan/17  Resolved: 18/Feb/15

Status: Closed
Project: Core Server
Component/s: Logging, Security
Affects Version/s: 2.6.5
Fix Version/s: 3.0.1, 3.1.0

Type: Improvement Priority: Major - P3
Reporter: Markus Mahlberg Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: connection
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-22054 Authentication failure reports incorr... Closed
related to SERVER-27595 Client IP address not shown Closed
is related to SERVER-16453 MongoDB server should obey /etc/hosts... Backlog
Backwards Compatibility: Fully Compatible
Backport Completed:
Sprint: Security [00-02-20-15]
Participants:

 Description   

MongoDB does not log failed login attempts.

For installations which need to be open to the public internet (for example because you have mobile clients), this makes it basically impossible to implement some sort of brute force prevention, like fail2ban. Fail2Ban scans log files for failed login attempts and uses various mechanisms like iptables or libwrap (not applicable to mongodb) to locks ipadresses out after a certain amount of failed login attempts.



 Comments   
Comment by Githook User [ 03/Mar/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-16452 Add IP address to authentication failure error message

(cherry picked from commit 1cdc79db66bea34430da70c10b12ec61255da003)
Branch: v3.0
https://github.com/mongodb/mongo/commit/760211f7b8ab5a1cf3c75994255653530cf12285

Comment by Spencer Jackson [ 25/Feb/15 ]

If we backport this to v3.0, we should probably hold it out of the initial release, and merge it into v3.0.1.

Comment by Githook User [ 18/Feb/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-16452 Add IP address to authentication failure error message
Branch: master
https://github.com/mongodb/mongo/commit/1cdc79db66bea34430da70c10b12ec61255da003

Comment by Markus Mahlberg [ 09/Dec/14 ]

Absolutely. Most brute force blockers parse single lines in the log file and extract the information needed. I would like to suggest to put the format as easy as possible something like FAILED.*IP:_127.0.0.1 (the underscores denoting word boundaries) to make parsing efficient and easy to implement.

Furthermore, if not already the case, the log messages should be sent via the security facility when using syslog instead of file based logging.

I'll be happy to provide the according configuration for fail2ban and denyhosts (which would need SERVER-16453 to be fixed, too.

Comment by Andy Schwerin [ 08/Dec/14 ]

MongoDB does log authentication failures, in 2.6 and 2.8. However, it does not presently log the IP address of the attempt on the same log line as the failure message. The IP address of the remote is currently logged only when the connection is established, and the authentication failure, is logged subsequently. The lines can be linked by the unique integer identifying the connection (i.e., [conn123]), but that's not useful for a regex parser.

Would it suffice to add the IP address to the existing failure messages, markus.mahlberg@icloud.com?

Generated at Thu Feb 08 03:41:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.