Diagnosis: report suspiciously high number of auth failures

2024-09-03 20:06:10 +02:00 · 2021-08-19 01:10:54 +02:00 · 2021-08-19 01:10:54 +02:00 · 9e63142748
commit 9e63142748
parent 1f7faabc30
2 changed files with 22 additions and 0 deletions
--- a/data/hooks/diagnosis/00-basesystem.py
+++ b/data/hooks/diagnosis/00-basesystem.py
@ -133,6 +133,13 @@ class BaseSystemDiagnoser(Diagnoser):
                summary="diagnosis_backports_in_sources_list",
            )

+        if self.number_of_recent_auth_failure() > 500:
+            yield dict(
+                meta={"test": "high_number_auth_failure"},
+                status="WARNING",
+                summary="diagnosis_high_number_auth_failures",
+            )
+
    def bad_sury_packages(self):

        packages_to_check = ["openssl", "libssl1.1", "libssl-dev"]
@ -154,6 +161,20 @@ class BaseSystemDiagnoser(Diagnoser):
        cmd = "grep -q -nr '^ *deb .*-backports' /etc/apt/sources.list*"
        return os.system(cmd) == 0

+    def number_of_recent_auth_failure(self):
+
+        # Those syslog facilities correspond to auth and authpriv
+        # c.f. https://unix.stackexchange.com/a/401398
+        # and https://wiki.archlinux.org/title/Systemd/Journal#Facility
+        cmd = "journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 --since '1day ago' | grep 'authentication failure' | wc -l"
+
+        n_failures = check_output(cmd)
+        try:
+            return int(n_failures)
+        except Exception:
+            self.logger_warning("Failed to parse number of recent auth failures, expected an int, got '%s'" % n_failures)
+            return -1
+
    def is_vulnerable_to_meltdown(self):
        # meltdown CVE: https://security-tracker.debian.org/tracker/CVE-2017-5754

--- a/locales/en.json
+++ b/locales/en.json
@ -239,6 +239,7 @@
    "diagnosis_rootfstotalspace_critical": "The root filesystem only has a total of {space} which is quite worrisome! You will likely run out of disk space very quickly! It's recommended to have at least 16 GB for the root filesystem.",
    "diagnosis_security_vulnerable_to_meltdown": "You appear vulnerable to the Meltdown criticial security vulnerability",
    "diagnosis_security_vulnerable_to_meltdown_details": "To fix this, you should upgrade your system and reboot to load the new linux kernel (or contact your server provider if this doesn't work). See https://meltdownattack.com/ for more infos.",
+    "diagnosis_high_number_auth_failures": "There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.",
    "diagnosis_description_basesystem": "Base system",
    "diagnosis_description_ip": "Internet connectivity",
    "diagnosis_description_dnsrecords": "DNS records",