Merge pull request #1292 from YunoHost/diagnose-suspicious-auth-failure

Diagnosis: report suspiciously high number of auth failures

data/hooks/diagnosis/00-basesystem.py

@@ -133,6 +133,13 @@ class BaseSystemDiagnoser(Diagnoser):
                 summary="diagnosis_backports_in_sources_list",
             )
 
+        if self.number_of_recent_auth_failure() > 500:
+            yield dict(
+                meta={"test": "high_number_auth_failure"},
+                status="WARNING",
+                summary="diagnosis_high_number_auth_failures",
+            )
+
     def bad_sury_packages(self):
 
         packages_to_check = ["openssl", "libssl1.1", "libssl-dev"]
@@ -154,6 +161,20 @@ class BaseSystemDiagnoser(Diagnoser):
         cmd = "grep -q -nr '^ *deb .*-backports' /etc/apt/sources.list*"
         return os.system(cmd) == 0
 
+    def number_of_recent_auth_failure(self):
+
+        # Those syslog facilities correspond to auth and authpriv
+        # c.f. https://unix.stackexchange.com/a/401398
+        # and https://wiki.archlinux.org/title/Systemd/Journal#Facility
+        cmd = "journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 --since '1day ago' | grep 'authentication failure' | wc -l"
+
+        n_failures = check_output(cmd)
+        try:
+            return int(n_failures)
+        except Exception:
+            self.logger_warning("Failed to parse number of recent auth failures, expected an int, got '%s'" % n_failures)
+            return -1
+
     def is_vulnerable_to_meltdown(self):
         # meltdown CVE: https://security-tracker.debian.org/tracker/CVE-2017-5754
 

locales/en.json

@@ -194,6 +194,7 @@
     "diagnosis_found_errors": "Found {errors} significant issue(s) related to {category}!",
     "diagnosis_found_errors_and_warnings": "Found {errors} significant issue(s) (and {warnings} warning(s)) related to {category}!",
     "diagnosis_found_warnings": "Found {warnings} item(s) that could be improved for {category}.",
+    "diagnosis_high_number_auth_failures": "There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.",
     "diagnosis_http_bad_status_code": "It looks like another machine (maybe your internet router) answered instead of your server.<br>1. The most common cause for this issue is that port 80 (and 443) <a href='https://yunohost.org/isp_box_config'>are not correctly forwarded to your server</a>.<br>2. On more complex setups: make sure that no firewall or reverse-proxy is interfering.",
     "diagnosis_http_connection_error": "Connection error: could not connect to the requested domain, it's very likely unreachable.",
     "diagnosis_http_could_not_diagnose": "Could not diagnose if domains are reachable from outside in IPv{ipversion}.",