Hi Florian,
I posted a similar topic in regards to securing the installation with “.htaccess”:-
https://community2.invoiceplane.com/t/topic/2675
Fail2Ban is certainly a useful tool when considering the security attributes of hosting web sites online. I’ve expanded on your initial concept, which I’m hoping will allow me to consider the site secure enough to go into production.
// Check if the user exists if (empty($user)) { $this->session->set_flashdata('alert_error', lang('loginalert_user_not_found')); error_log('error invoiceplane login: user not found ' . $SERVER[REMOTEADDR]); redirect('sessions/login'); } else {
// Check if the user is marked as active if ($user->user_active == 0) { $this->session->set_flashdata('alert_error', lang('loginalert_user_inactive')); error_log('error invoiceplane login: user inactive ' . $SERVER[REMOTEADDR]); redirect('sessions/login'); } else {
if ($this->authenticate($this->input->post('email'), $this->input->post('password'))) { if ($this->session->userdata('user_type') == 1) { redirect('dashboard'); } elseif ($this->session->userdata('user_type') == 2) { redirect('guest'); } } else { $this->session->set_flashdata('alert_error', lang('loginalert_credentials_incorrect')); error_log('error invoiceplane login: wrong password ' . $SERVER[REMOTEADDR]); redirect('sessions/login'); }
The fail2ban rule had to be slightly modified for Apache:-
failregex = \[client <HOST>.*\] error invoiceplane login:
Thanks for the initial concept, it was very useful information.