Skip to content

10653 log failed login attempts on INFO #10843

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 18, 2022
Merged

10653 log failed login attempts on INFO #10843

merged 6 commits into from
Nov 18, 2022

Conversation

@arthanson
Copy link
Collaborator

@arthanson arthanson commented Nov 4, 2022

Fixes: #10653

@jeremystretch Not completely sure of what is the best way here. The log was done for failed login attempts but at DEBUG level which would be fairly spammy to have on, changed to INFO level also included failed username - I don't think that would violate personal-identifiable-information security issues... Probably up for discussion if this makes sense to change (from a logging standpoint if that is too much info for some people, and security if the username should be shown).

@jeremystretch
Copy link
Member

jeremystretch commented Nov 4, 2022

Let's keep the debug line as it is, I think. I would think it's already possible to log authentication failures reported by Django using the native logging functionality; is this not the case?

@jeremystretch
Copy link
Member

jeremystretch commented Nov 10, 2022

I did a bit of digging and surprisingly it seems that Django doesn't log authentication failures out of the box. Still, we'd want to log the success/failure result somewhere closer to the backend itself, rather than on the login form. (The exists logging statements are merely for debugging the form itself.)

@arthanson
Copy link
Collaborator Author

arthanson commented Nov 17, 2022

Changed to use the user_login_failed signal issued from within Django.

@arthanson
Copy link
Collaborator Author

arthanson commented Nov 17, 2022

@jeremystretch ready for re-review.

jeremystretch
jeremystretch requested changes Nov 17, 2022
View reviewed changes
@jeremystretch
Copy link
Member

jeremystretch commented Nov 17, 2022

Changed to use the user_login_failed signal issued from within Django.

Nice!

arthanson and others added 2 commits November 17, 2022 16:46
@arthanson @jeremystretch
Update netbox/users/signals.py
1135019 
Co-authored-by: Jeremy Stretch <[email protected]>
@arthanson @jeremystretch
Update netbox/users/apps.py
1cdd110 
Co-authored-by: Jeremy Stretch <[email protected]>
@jeremystretch jeremystretch merged commit de9646d into develop Nov 18, 2022
@jeremystretch jeremystretch deleted the 10653-log-failed-logins branch November 18, 2022 13:58
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremystretch jeremystretch jeremystretch requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make it possible to log failed login attempts

3 participants

@arthanson @jeremystretch