Invoiceplane and Fail2ban


#1

I use invoiceplane for a bit more than 1 year and i am on version 1.4.4. on my own server exposed to the internet. I like this tool much but i wonder how i could make it a bit more secure. I wanted to use fail2ban because i use this on server side to secure different services. But i could not find a solution to make invoiceplane logging failed password attempts. After a little search i found a solution which works for me although it is not really elegant because of my low experience in php.

I had to add the following line:

error_log('error invoiceplane login: wrong password ’ . $_SERVER[REMOTE_ADDR]);

after the line with

“loginalert_credentials_incorrect”

in File:

application/modules/sessions/controllers/sessions.php

As a result every login with a wrong password is logged at webservers default error log, for nginx: /var/log/nginx/error.log
The rest ist standard fail2ban “magic”. You can download my suggest for fail2ban including jail.conf and filter file under:

jail.conf: https://it-support-ffm.de/downloads/invoiceplane/jail.conf
invoiceplane filter: https://it-support-ffm.de/downloads/invoiceplane/invoiceplane.conf

Regards,

Florian Reichardt
IT Support Florian Reichardt


#2

Hi Florian,

I posted a similar topic in regards to securing the installation with “.htaccess”:-

Securing installation via .htpasswd

Fail2Ban is certainly a useful tool when considering the security attributes of hosting web sites online. I’ve expanded on your initial concept, which I’m hoping will allow me to consider the site secure enough to go into production.

        // Check if the user exists
        if (empty($user)) {
            $this->session->set_flashdata('alert_error', lang('loginalert_user_not_found'));
            error_log('error invoiceplane login: user not found ' . $SERVER[REMOTEADDR]);
            redirect('sessions/login');
        } else {
            // Check if the user is marked as active
            if ($user->user_active == 0) {
                $this->session->set_flashdata('alert_error', lang('loginalert_user_inactive'));
                error_log('error invoiceplane login: user inactive ' . $SERVER[REMOTEADDR]);
                redirect('sessions/login');
            } else {
                if ($this->authenticate($this->input->post('email'), $this->input->post('password'))) {
                    if ($this->session->userdata('user_type') == 1) {
                        redirect('dashboard');
                    } elseif ($this->session->userdata('user_type') == 2) {
                        redirect('guest');
                    }
                } else {
                    $this->session->set_flashdata('alert_error', lang('loginalert_credentials_incorrect'));
                    error_log('error invoiceplane login: wrong password ' . $SERVER[REMOTEADDR]);
                    redirect('sessions/login');
                }

The fail2ban rule had to be slightly modified for Apache:-

failregex = \[client <HOST>.*\] error invoiceplane login:

Thanks for the initial concept, it was very useful information.


#3

Hi Futurian,

i am glad you find this helpful. Enjoy invoiceplane. :slight_smile:

Regards,

Florian