[Joplin Server] Log origin of authentication request

Background

I run a joplin-server Docker instance. Just like with other services I host I try to make it as secure as possible. For Joplin, I wanted to utilize Fail2Ban to ban any IP that have multiple failed authentication attempts.

Joplin lets Docker handle its logs. If we fail an authentication attempt and inspect the logs we will see that the attempt is logged but its origin is not:

{"log":"2022-11-17 16:47:05: App: GET /login (200) (1ms)\n","stream":"stdout","time":"2022-11-17T15:47:05.089015236Z"}
{"log":"2022-11-17 16:47:18: App: POST /login (403) (168ms)\n","stream":"stdout","time":"2022-11-17T15:47:18.248275442Z"}

Suggestion:

Have Joplin log the origin (IP) of an authentication request. This would allow for services such as Fail2Ban to act upon multiple failed authentication attempts.

1 Like

@Stylbaek welcome to the forum.

The below post indicates that Joplin Server does have a rate-limiter, though that is not quite the same as Fail2Ban...

Server errors are in joplin/errors.ts at dev · laurent22/joplin · GitHub
It'd be nice if the client IP was logged.

As @dpoulton said rate-limiter has similar features and can ban IPs in a similar way.

If I wanted to make my instance secure I wouldn't make it accessible to random IPs in the first place. For example, I'd use a VPN to connect to it. Or, if your notes are encrypted, then the question of brute-force authentication becomes less relevant.

@dpoulton Thank you for the welcome!

As you say, rate-limiting would not be quite the same. It would nonetheless add to security (which is always a good thing) and I will bookmark that thread for later.

@thatman Thank you for the suggestion. As you might imagine, different people have different opportunities and requirements when it comes to their security environment. Using a VPN to access the LAN of the server is not an acceptable solution for my perticular use-case.

This topic was automatically closed 360 days after the last reply. New replies are no longer allowed.