I run a joplin-server Docker instance. Just like with other services I host I try to make it as secure as possible. For Joplin, I wanted to utilize Fail2Ban to ban any IP that have multiple failed authentication attempts.
Joplin lets Docker handle its logs. If we fail an authentication attempt and inspect the logs we will see that the attempt is logged but its origin is not:
{"log":"2022-11-17 16:47:05: App: GET /login (200) (1ms)\n","stream":"stdout","time":"2022-11-17T15:47:05.089015236Z"}
{"log":"2022-11-17 16:47:18: App: POST /login (403) (168ms)\n","stream":"stdout","time":"2022-11-17T15:47:18.248275442Z"}
Suggestion:
Have Joplin log the origin (IP) of an authentication request. This would allow for services such as Fail2Ban to act upon multiple failed authentication attempts.
As @dpoulton said rate-limiter has similar features and can ban IPs in a similar way.
If I wanted to make my instance secure I wouldn't make it accessible to random IPs in the first place. For example, I'd use a VPN to connect to it. Or, if your notes are encrypted, then the question of brute-force authentication becomes less relevant.
As you say, rate-limiting would not be quite the same. It would nonetheless add to security (which is always a good thing) and I will bookmark that thread for later.
@thatman Thank you for the suggestion. As you might imagine, different people have different opportunities and requirements when it comes to their security environment. Using a VPN to access the LAN of the server is not an acceptable solution for my perticular use-case.