[SERVER-16452] Failed login attempts should log source IP address Created: 08/Dec/14 Updated: 06/Jan/17 Resolved: 18/Feb/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Logging, Security |
| Affects Version/s: | 2.6.5 |
| Fix Version/s: | 3.0.1, 3.1.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Markus Mahlberg | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | connection | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Backport Completed: | |||||||||||||||||
| Sprint: | Security [00-02-20-15] | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
MongoDB does not log failed login attempts. For installations which need to be open to the public internet (for example because you have mobile clients), this makes it basically impossible to implement some sort of brute force prevention, like fail2ban. Fail2Ban scans log files for failed login attempts and uses various mechanisms like iptables or libwrap (not applicable to mongodb) to locks ipadresses out after a certain amount of failed login attempts. |
| Comments |
| Comment by Githook User [ 03/Mar/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: (cherry picked from commit 1cdc79db66bea34430da70c10b12ec61255da003) |
| Comment by Spencer Jackson [ 25/Feb/15 ] |
|
If we backport this to v3.0, we should probably hold it out of the initial release, and merge it into v3.0.1. |
| Comment by Githook User [ 18/Feb/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |
| Comment by Markus Mahlberg [ 09/Dec/14 ] |
|
Absolutely. Most brute force blockers parse single lines in the log file and extract the information needed. I would like to suggest to put the format as easy as possible something like FAILED.*IP:_127.0.0.1 (the underscores denoting word boundaries) to make parsing efficient and easy to implement. Furthermore, if not already the case, the log messages should be sent via the security facility when using syslog instead of file based logging. I'll be happy to provide the according configuration for fail2ban and denyhosts (which would need SERVER-16453 to be fixed, too. |
| Comment by Andy Schwerin [ 08/Dec/14 ] |
|
MongoDB does log authentication failures, in 2.6 and 2.8. However, it does not presently log the IP address of the attempt on the same log line as the failure message. The IP address of the remote is currently logged only when the connection is established, and the authentication failure, is logged subsequently. The lines can be linked by the unique integer identifying the connection (i.e., [conn123]), but that's not useful for a regex parser. Would it suffice to add the IP address to the existing failure messages, markus.mahlberg@icloud.com? |