Hello,
goal
I would like to protect a DokuWiki install against "bruteforce login" on the page https://myserver.example.org/dokuwiki/start?do=login
In the past, I used to ban IP by using fail2ban https://github.com/YunoHost-Apps/dokuwiki_ynh/blob/master/scripts/install#L224 thanks to the plugin https://www.dokuwiki.org/plugin:logautherror?s[]=fail2ban but is does not work anymore and I am looking for a "replacement"
question / discussion
Are there some "best practices" to achieve this? block/ban/delay connexion to login page?
For now, I will rely on fail2ban to ban "bruteforce login" as it is the "default" solution on the system I use.
I tried looking for "fail2ban" on the wiki or the forum but I didn't found anything related to my request (I might have missed something!)
I see multiple "solutions" to log the "login attempt on the server"
Proposals
1. logindelay plugin
Add delay after X failed login attemps and easy to add
https://www.dokuwiki.org/plugin:logindelay?s[]=logindelay
2. Captcha plugin
does not seems to protect against bruteforce but easy to add
https://www.dokuwiki.org/plugin:captcha
3. loglog plugin
logs to a file all loggin events
https://www.dokuwiki.org/plugin:loglog?s[]=loglog
Seems like a nice candidate but log format is not made to be "parsed" by scripts and I'm sure I could create a fail2ban restrictive enough regex (see below).
# 1. normal failed login
1661791334 2022/08/29 16:42 2001:db8::1 user1 failed login attempt
# 2. inject a legitimate IP "2001:db8::22" to try to make fail2ban to ban it
1661791383 2022/08/29 16:43 2001:db8::1 user2 2001:db8::22 failed login attempt
# 3. inject lots of stuff
1661791435 2022/08/29 16:43 2001:db8::1 i can put things user3 2001:db8::22 here sooooo failed login attempt
edit1: Seems to be the way to go according to https://forum.dokuwiki.org/d/13238-securite-plug-in-logbadlogin-journaliser-les-erreurs-d-authentifications/10
with the regex: failregex = ^.*Bad\ login\ from\ <HOST> .*user.*$
4. Other solution?
other ideas?
Fail2ban rules writting
Fail2ban rules are based on regex and not really "user frienldy" (to me at least 🙂 ) so I'm not really sure I will spend to much energy/time on it...
Technical context