I use invoiceplane for a bit more than 1 year and i am on version 1.4.4. on my own server exposed to the internet. I like this tool much but i wonder how i could make it a bit more secure. I wanted to use fail2ban because i use this on server side to secure different services. But i could not find a solution to make invoiceplane logging failed password attempts. After a little search i found a solution which works for me although it is not really elegant because of my low experience in php.
I had to add the following line:
error_log('error invoiceplane login: wrong password ’ . $_SERVER[REMOTE_ADDR]);
after the line with
“loginalert_credentials_incorrect”
in File:
application/modules/sessions/controllers/sessions.php
As a result every login with a wrong password is logged at webservers default error log, for nginx: /var/log/nginx/error.log
The rest ist standard fail2ban “magic”. You can download my suggest for fail2ban including jail.conf and filter file under:
jail.conf: https://it-support-ffm.de/downloads/invoiceplane/jail.conf
invoiceplane filter: https://it-support-ffm.de/downloads/invoiceplane/invoiceplane.conf
Regards,
Florian Reichardt
IT Support Florian Reichardt
1 Like
Hi Florian,
I posted a similar topic in regards to securing the installation with “.htaccess”:-
https://community2.invoiceplane.com/t/topic/2675
Fail2Ban is certainly a useful tool when considering the security attributes of hosting web sites online. I’ve expanded on your initial concept, which I’m hoping will allow me to consider the site secure enough to go into production.
// Check if the user exists
if (empty($user)) {
$this->session->set_flashdata('alert_error', lang('loginalert_user_not_found'));
error_log('error invoiceplane login: user not found ' . $SERVER[REMOTEADDR]);
redirect('sessions/login');
} else {
// Check if the user is marked as active
if ($user->user_active == 0) {
$this->session->set_flashdata('alert_error', lang('loginalert_user_inactive'));
error_log('error invoiceplane login: user inactive ' . $SERVER[REMOTEADDR]);
redirect('sessions/login');
} else {
if ($this->authenticate($this->input->post('email'), $this->input->post('password'))) {
if ($this->session->userdata('user_type') == 1) {
redirect('dashboard');
} elseif ($this->session->userdata('user_type') == 2) {
redirect('guest');
}
} else {
$this->session->set_flashdata('alert_error', lang('loginalert_credentials_incorrect'));
error_log('error invoiceplane login: wrong password ' . $SERVER[REMOTEADDR]);
redirect('sessions/login');
}
The fail2ban rule had to be slightly modified for Apache:-
failregex = \[client <HOST>.*\] error invoiceplane login:
Thanks for the initial concept, it was very useful information.
1 Like
Hi Futurian,
i am glad you find this helpful. Enjoy invoiceplane. 
Regards,
Florian