extra security

[blassley]

we should add a homarr collection too crowdsec for an extra layer of security. what code does homarr use for failed logins? i can try too create a simple scenario for crowdsec to watch

[manuel-rw]

Hi, thanks for the suggestion. I discussed this with our team and we came to the following conclusions:

• We might not be able to obtain the real IP address of the user attempting to log in (unless it is passed as a header from the reverse proxy) - therefore it would be hard to implement this, depending on your setup.
• You generally shouldn't expose Homarr to the open wide web, since there is no reason for other clients to access Homarr. Although Crowdsec would help removing malicious users, you shouldn't even have this problem when you use Homarr in your own trusted network. Consider to use tunnels, such as Wireguard, Cloudflare tunnels or Tailscale instead.
• Implementing a Crowdsec specific solution wouldn't be much value for most users. The ROI is not high enough and we have more urgent issues and bugs to deal with.

Therefore, I have the following question: Would it be useful to you if we simply add the IP from the header to the "login failed" message in the logs? You could easily extract this and handle it yourself with Crowsec.

[blassley]

Thanks for the reply! I think you would be surprised how many people use homarr through a reverse proxy, maybe a poll for this? Also yes adding the ip source to the failed logins with say a 401 status code or whatever code you see fit for this would be the only thing needed too create your own custom scenario with crowdsec.
Edit: but yes it would need to be the real-ip header

[manuel-rw]

Sadly many are doing what you described... We made the admin login mandatory for this exact reason 😅.
Great! Then we'll add the IP to the log message. No further action is required from your side.
I created #2508 . You can subscribe to the issue to get notified once this has been implemented.