log a consistent log line for failed authentication attempts, with the remote ip

so external tools (like fail2ban) can monitor the logs and block ip's of bots. for issue #30 by inigoserna, though i'm not sure i interpreted the suggestion correctly.
2025-07-12 16:24:37 +03:00 · 2023-05-31 20:39:00 +02:00
parent 70d07c5459
commit 713d781bad
4 changed files with 28 additions and 4 deletions
--- a/http/admin.go
+++ b/http/admin.go
@ -132,11 +132,14 @@ func checkAdminAuth(ctx context.Context, passwordfile string, w http.ResponseWri
 	}()

 	var err error
+	var remoteIP net.IP
 	addr, err = net.ResolveTCPAddr("tcp", r.RemoteAddr)
 	if err != nil {
 		log.Errorx("parsing remote address", err, mlog.Field("addr", r.RemoteAddr))
+	} else if addr != nil {
+		remoteIP = addr.IP
 	}
-	if addr != nil && !mox.LimiterFailedAuth.Add(addr.IP, start, 1) {
+	if remoteIP != nil && !mox.LimiterFailedAuth.Add(remoteIP, start, 1) {
 		metrics.AuthenticationRatelimitedInc("httpadmin")
 		http.Error(w, "429 - too many auth attempts", http.StatusTooManyRequests)
 		return false
@ -164,10 +167,12 @@ func checkAdminAuth(ctx context.Context, passwordfile string, w http.ResponseWri
 	}
 	t := strings.SplitN(string(auth), ":", 2)
 	if len(t) != 2 || len(t[1]) < 8 {
+		log.Info("failed authentication attempt", mlog.Field("username", "admin"), mlog.Field("remote", remoteIP))
 		return respondAuthFail()
 	}
 	if err := bcrypt.CompareHashAndPassword([]byte(passwordhash), []byte(t[1])); err != nil {
 		authResult = "badcreds"
+		log.Info("failed authentication attempt", mlog.Field("username", "admin"), mlog.Field("remote", remoteIP))
 		return respondAuthFail()
 	}
 	authCache.lastSuccessHash = passwordhash