I want to secure my server running Moodle using fail2ban. Fail2ban is able to read log files and, if there are to many failed login attempts, to ban the IP from which these attempts are coming.
Therefore I want to write failed login attempts to a log file. How can I archieve this?
Thanks in advance!
Hi Alexander,
Have you looked at the logs for your server to see if failed login attempts are already being logged there? What OS does you server use?
Um, has there been any updates to this? I'm also curious for the same reasons as the OP. Would love to implement fail2ban to increase the security of my moodle site.
Again, if your system is already logging the failed log in attempts, it is an easy setup to get fail2ban working. Just search online for how to do it for the OS that you use. There are multiple how-to do it guides out there. It all depends on your OS and doesn't really have anything to do with Moodle.
There are so MANY locations trying to hack servers, that I have mine set so that if you fail to log in once, you are permanently banned. In four years, I have accidentally banned myself twice. Since that is a potential problem, you need to do like I have done and have multiple ways to log in to a terminal window on the server, so you un-ban yourself, if needed.
Per default Moodle is logging the failed attempts to its database. There are therefore no log entries by moodle. The Nginx log is not usable for fail2ban.
My question was therefore if it is possible to make moodle logging the failed log in attempts to a file.
Hi Alexander, could you give me the name of the table where the failed attempts are stored? Thank you.
Failed login attempts are written to Moodle's log table.
However, Moodle already has the functionality you are trying to implement - https://docs.moodle.org/35/en/Site_security_settings#Account_lockout
BUT...
Logged things are actually events. So you could write an event handler to catch failed logins. You can then do whatever you like with the information. Including syslog() maybe.
This sounds good. Could you maybe give me some more help? How can I write such an event handler and how do I log this events to a file then?
You need to create a "local plugin" - https://docs.moodle.org/dev/Local_plugins
...that handles the '\core\event\user_login_failed' event - https://docs.moodle.org/dev/Events_API#Handling_an_event
I would probably just create a new log file and write suitable lines out to the file to identify whatever information you need (time, IP address, username and so on).
You can then create a new fail2ban 'thing' to process that log file.
Sounds not that easy ...
Maybe Moodle isn't the right thing for me. Don't want to write software, just want to use software.
Would be great to have the possibility of just saying to log to a file instead of logging to the database. The config is already so overblown and complicated, this button would help much but would not disturb anyone.
Thanks for your help. But I don't know if I want to write such a plugin. I'm feared to make errors which might than be dangerous for the whole server.
In addition the linked doc seems to be outdated. But thanks again!
To an experienced Moodle dev that would be pretty easy.
You have to realise that what you are asking is extremely unusual - in fact unique I would suggest.
The advantage of Moodle as an open source software solution is that if you do want to do something a bit "different" you have the option to write a plugin to do it. Or pay someone to do it.
So - the point is - you (or someone) *can* do it. It's not Moodle's fault that you have a unique requirement that nobody has written a plugin for.
PS. All developer documentation ever written is outdated. The linked documentation is close enough, though.
I've solved the problem quite easy. Added on line to auth_ldap.php:
error_log("Login failed",0)
