Hey guys,
I’m looking at setting up some brute-force protection for a public Manager.io server instance, and wondered if there is some way I can log invalid login attempts?
Manager version is 22.3.64 server edition
Server is Debian Bullseye, running Apache as a rev proxy to mono/manager.io, but I cant seem to find anything in manager that shows invalid login attempts.
Does a log file exist anywhere?
Sorry if the question has been answered already somewhere…
Thanks,
Currently no. But I don’t think this is how it should be done. Perhaps the better way would be to implement automatic lock out. If you enter wrong password 5 times or so, then the username could be locked from further attempts for 5 minutes. This would prevent ability to brute force password.
Practically speaking, if your password is long enough (8 chars) then brute force is not viable even if there is no automatic lock out as the system could handle perhaps 100 guesses per second. Then it would take 66 years to try all combinations.
Thanks for that @lubos
Agree, it would be great if it was supported natively (or better yet, 2fa 
), guess we were just looking for something in the interim.
Was intending to use fail2ban, if there was a log file available…
Agree it certainly helps having long passwords, but given the relatively cheap access to HPC these days, its certainly not as useful as it used to be.
Thanks again for the reply, and the great product.
If someone has access to hashed password then they can try millions of attempts per second. But over the network, it’s just not viable.
And even if someone has access to hashed password, then log file or automatic lock outs won’t make any difference. 2FA is better solution, I agree with that.
Most passwords are not random characters so a dictionary search will do a lot better, especially if multiple servers or user names are tried concurrently.
Not a problem for me as I choose to not to expose my server to the internet, but it’s probably an issue for servers allowing general internet access.
Agreed, we generally don’t either (or have used our own freeradius + pam_google_authenticator + apache 2fa solutions), but we need to for this particular project.
@lubos - I know we’ve asked about 2fa in the past, but if you are open to some help getting this one implemented, we’d certainly be happy to offer assistance.
Thanks,
So, sorry to resurrect an old thread, but I though others might find this useful.
For anyone who’s interested, we’ve managed to implement something based on apache logs + fail2ban, which delivers a reasonable outcome.
As mentioned, this is based on fail2ban, and can be implemented by using the following filter and jail config.
filter:
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^<HOST> - - \[.*\] "GET \/\?Error=True&Username=.* HTTP\/1.1" 200.*$
ignoreregex =
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}
jail:
[managerio]
enabled = true
filter = managerio-filter
logpath = /var/log/apache2/managerio.log
findtime = 86400
bantime = 10m
maxretry = 3
port = 80,443
Obviously, this relies on specific apache configuration etc, but if you’re familiar with apache + fail2ban, you should be able to make this work.
If anyone needs more info, feel free to shout out.