Merge pull request #1292 from YunoHost/diagnose-suspicious-auth-failure

Diagnosis: report suspiciously high number of auth failures
2024-09-03 20:06:10 +02:00 · 2021-09-05 00:26:01 +02:00 · 2021-09-05 00:26:01 +02:00 · e489d31290
commit e489d31290
parent 38e4cfc4da 163ee759fc
2 changed files with 22 additions and 0 deletions
--- a/data/hooks/diagnosis/00-basesystem.py
+++ b/data/hooks/diagnosis/00-basesystem.py
@ -133,6 +133,13 @@ class BaseSystemDiagnoser(Diagnoser):
                summary="diagnosis_backports_in_sources_list",
            )

+        if self.number_of_recent_auth_failure() > 500:
+            yield dict(
+                meta={"test": "high_number_auth_failure"},
+                status="WARNING",
+                summary="diagnosis_high_number_auth_failures",
+            )
+
    def bad_sury_packages(self):

        packages_to_check = ["openssl", "libssl1.1", "libssl-dev"]
@ -154,6 +161,20 @@ class BaseSystemDiagnoser(Diagnoser):
        cmd = "grep -q -nr '^ *deb .*-backports' /etc/apt/sources.list*"
        return os.system(cmd) == 0

+    def number_of_recent_auth_failure(self):
+
+        # Those syslog facilities correspond to auth and authpriv
+        # c.f. https://unix.stackexchange.com/a/401398
+        # and https://wiki.archlinux.org/title/Systemd/Journal#Facility
+        cmd = "journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 --since '1day ago' | grep 'authentication failure' | wc -l"
+
+        n_failures = check_output(cmd)
+        try:
+            return int(n_failures)
+        except Exception:
+            self.logger_warning("Failed to parse number of recent auth failures, expected an int, got '%s'" % n_failures)
+            return -1
+
    def is_vulnerable_to_meltdown(self):
        # meltdown CVE: https://security-tracker.debian.org/tracker/CVE-2017-5754

--- a/locales/en.json
+++ b/locales/en.json
@ -194,6 +194,7 @@
    "diagnosis_found_errors": "Found {errors} significant issue(s) related to {category}!",
    "diagnosis_found_errors_and_warnings": "Found {errors} significant issue(s) (and {warnings} warning(s)) related to {category}!",
    "diagnosis_found_warnings": "Found {warnings} item(s) that could be improved for {category}.",
+    "diagnosis_high_number_auth_failures": "There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.",
    "diagnosis_http_bad_status_code": "It looks like another machine (maybe your internet router) answered instead of your server.<br>1. The most common cause for this issue is that port 80 (and 443) <a href='https://yunohost.org/isp_box_config'>are not correctly forwarded to your server</a>.<br>2. On more complex setups: make sure that no firewall or reverse-proxy is interfering.",
    "diagnosis_http_connection_error": "Connection error: could not connect to the requested domain, it's very likely unreachable.",
    "diagnosis_http_could_not_diagnose": "Could not diagnose if domains are reachable from outside in IPv{ipversion}.",