Project

General

Profile

Actions

Feature #35787

closed

add IP address to "401 Unauthorized" log messages

Added by Dietrich Streifert over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Category:
REST API
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix

Description

Hi all,

I'm in need to add a fail2ban filter/jail which allows blocking of IPs trying to use the REST api unauthorized.

Currently redmine logs this attempts like this:

2021-08-20 13:18:43 +0200 (185) Completed 401 Unauthorized in 4ms (ActiveRecord: 1.5ms)

which is not sufficient for fail2ban filters, because the IP address is missing.

It would be nice to additionally display the requesting IP in that log line, e.g.:

2021-08-20 13:18:43 +0200 (185) Completed 401 Unauthorized in 4ms (ActiveRecord: 1.5ms) from 1.2.3.4

This way it would be possible to write a filter usable for fail2ban.

Actions #1

Updated by Stefan Lindner over 3 years ago

+1

Actions #2

Updated by Go MAEDA over 3 years ago

I don't think we have to implement the feature. By adding the following line to config/additional_environment.rb, the client's IP address will be recorded in every line of the log.

config.log_tags = config.log_tags.to_a + [:remote_ip]

The log looks as follows.

[127.0.0.1] Started GET "/login" for 127.0.0.1 at 2021-08-21 10:26:35 +0900
[127.0.0.1] Processing by AccountController#login as HTML
[127.0.0.1]   Current user: anonymous
[127.0.0.1]   Rendered account/login.html.erb within layouts/base (Duration: 8.7ms | Allocations: 1435)
[127.0.0.1]   Rendered layout layouts/base.html.erb (Duration: 34.1ms | Allocations: 6278)
[127.0.0.1] Completed 200 OK in 47ms (Views: 34.7ms | ActiveRecord: 2.8ms | Allocations: 8520)
Actions #3

Updated by Mischa The Evil over 3 years ago

  • Status changed from New to Needs feedback
  • Assignee set to Dietrich Streifert

Can you all please provide some feedback following Go's suggestion?

Actions #4

Updated by Dietrich Streifert over 3 years ago

Thank you for your feedback and suggestion.

I tried Go's suggestion but it does not work. I've added exactly the line into config/additional_environment.rb but the IP address does not show up in the log.

My setup is a docker compose stack using the docker image redmine:4-passenger currently running redmine version 4.1.1.stable where I'm using the log file /usr/src/redmine/log/passenger.3000.log.

I've added the line suggested by Go into config/additional_environment.rb and mapped that file to /usr/src/redmin/config/additional_environment.rb added permissions and file ownership par to config/environment.rb, checked if the setting are there from whithin the running container. Now the content of config/additional_environment.rb is as follows:

config.logger = Logger.new(STDOUT)

config.log_tags = config.log_tags.to_a + [:remote_ip]

I've managed to add some code in config/environment.rb changing the timestamp in the log lines via

class Logger
  def format_message(severity, timestamp, progname, msg)
    "#{timestamp} (#{$$}) #{msg}\n" 
  end
end

which works as expected.

Currently, with the addition from Go in config/additional_environment.rb, the log output in passenger.3000.log looks like this:

App 199 output: 2021-08-24 09:31:06 +0200 (199) Started GET "/users/current.xml" for 136.243.54.73 at 2021-08-24 09:31:06 +0200
App 199 output: 2021-08-24 09:31:06 +0200 (199) Processing by UsersController#show as XML
App 199 output: 2021-08-24 09:31:06 +0200 (199)   Parameters: {"id"=>"current"}
App 199 output: 2021-08-24 09:31:06 +0200 (199) User find_by_api_key 'dfasdfasdfasdf' gefunden: ''
App 199 output: 2021-08-24 09:31:06 +0200 (199)   Current user: anonymous
App 199 output: 2021-08-24 09:31:06 +0200 (199) Filter chain halted as #<Proc:0x0000564c7bb5e460@/usr/src/redmine/app/controllers/users_controller.rb:25 (lambda)> rendered or redirected
App 199 output: 2021-08-24 09:31:06 +0200 (199) Completed 401 Unauthorized in 9ms (ActiveRecord: 3.7ms)

Actions #5

Updated by Dietrich Streifert over 3 years ago

Some additional note:

From my point of view adding the IP to every log line is problematic with respect to the GDPR in Europe, as it is not necessary to log the IP for every single action.

In situations where someone tries to log in or access resources without authorization, it is necessary to know the IP address in order to take action, such as blocking the potential attacker via the firewall.

So having the IP address logged only in this specific situation would be the far better solution.

Actions #6

Updated by Marius BĂLTEANU almost 3 years ago

  • Status changed from Needs feedback to Closed
  • Resolution set to Wont fix

Dietrich Streifert wrote:

Some additional note:

From my point of view adding the IP to every log line is problematic with respect to the GDPR in Europe, as it is not necessary to log the IP for every single action.

In situations where someone tries to log in or access resources without authorization, it is necessary to know the IP address in order to take action, such as blocking the potential attacker via the firewall.

So having the IP address logged only in this specific situation would be the far better solution.

Totally agree, I’m closing this.

For more help, please use Forums.

Actions

Also available in: Atom PDF