I use invoiceplane for a bit more than 1 year and i am on version 1.4.4. on my own server exposed to the internet. I like this tool much but i wonder how i could make it a bit more secure. I wanted to use fail2ban because i use this on server side to secure different services. But i could not find a solution to make invoiceplane logging failed password attempts. After a little search i found a solution which works for me although it is not really elegant because of my low experience in php.
I had to add the following line:
error_log('error invoiceplane login: wrong password ’ . $_SERVER[REMOTE_ADDR]);
after the line with
As a result every login with a wrong password is logged at webservers default error log, for nginx: /var/log/nginx/error.log
The rest ist standard fail2ban “magic”. You can download my suggest for fail2ban including jail.conf and filter file under:
invoiceplane filter: https://it-support-ffm.de/downloads/invoiceplane/invoiceplane.conf
IT Support Florian Reichardt