From 9e63142748813889fc9282c90fd97aa627fc929c Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Thu, 19 Aug 2021 01:10:54 +0200
Subject: [PATCH] Diagnosis: report suspiciously high number of auth failures

---
 data/hooks/diagnosis/00-basesystem.py | 21 +++++++++++++++++++++
 locales/en.json                       |  1 +
 2 files changed, 22 insertions(+)

diff --git a/data/hooks/diagnosis/00-basesystem.py b/data/hooks/diagnosis/00-basesystem.py
index 3623c10e2..5b4b3394c 100644
--- a/data/hooks/diagnosis/00-basesystem.py
+++ b/data/hooks/diagnosis/00-basesystem.py
@@ -133,6 +133,13 @@ class BaseSystemDiagnoser(Diagnoser):
                 summary="diagnosis_backports_in_sources_list",
             )
 
+        if self.number_of_recent_auth_failure() > 500:
+            yield dict(
+                meta={"test": "high_number_auth_failure"},
+                status="WARNING",
+                summary="diagnosis_high_number_auth_failures",
+            )
+
     def bad_sury_packages(self):
 
         packages_to_check = ["openssl", "libssl1.1", "libssl-dev"]
@@ -154,6 +161,20 @@ class BaseSystemDiagnoser(Diagnoser):
         cmd = "grep -q -nr '^ *deb .*-backports' /etc/apt/sources.list*"
         return os.system(cmd) == 0
 
+    def number_of_recent_auth_failure(self):
+
+        # Those syslog facilities correspond to auth and authpriv
+        # c.f. https://unix.stackexchange.com/a/401398
+        # and https://wiki.archlinux.org/title/Systemd/Journal#Facility
+        cmd = "journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 --since '1day ago' | grep 'authentication failure' | wc -l"
+
+        n_failures = check_output(cmd)
+        try:
+            return int(n_failures)
+        except Exception:
+            self.logger_warning("Failed to parse number of recent auth failures, expected an int, got '%s'" % n_failures)
+            return -1
+
     def is_vulnerable_to_meltdown(self):
         # meltdown CVE: https://security-tracker.debian.org/tracker/CVE-2017-5754
 
diff --git a/locales/en.json b/locales/en.json
index 693e9d24d..f6641f224 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -239,6 +239,7 @@
     "diagnosis_rootfstotalspace_critical": "The root filesystem only has a total of {space} which is quite worrisome! You will likely run out of disk space very quickly! It's recommended to have at least 16 GB for the root filesystem.",
     "diagnosis_security_vulnerable_to_meltdown": "You appear vulnerable to the Meltdown criticial security vulnerability",
     "diagnosis_security_vulnerable_to_meltdown_details": "To fix this, you should upgrade your system and reboot to load the new linux kernel (or contact your server provider if this doesn't work). See https://meltdownattack.com/ for more infos.",
+    "diagnosis_high_number_auth_failures": "There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.",
     "diagnosis_description_basesystem": "Base system",
     "diagnosis_description_ip": "Internet connectivity",
     "diagnosis_description_dnsrecords": "DNS records",