OOD 1.8 + Dex + Fail2Ban

I’m testing the upgrade from OOD 1.6 to 1.8. All seems to be going fine. I was able to implement Dex after a little troubleshooting.

My question now is if Dex generates logs anywhere, either for just failed logins or both failed+successful logins. We currently use fail2ban to watch for failed Apache basic auth logins to lock out IPs after a certain number of failed attempts. Bonus points if someone has a fail2ban filter config for Dex.

The logging is to stdout or stderr of the daemon which is captured by journald and if you have journald setup to talk to rsyslog then you will have ondemand-dex logs in a place like /var/log/messages. I believe there are logs for successful login attempts but I honestly do not recall if there are log entries for failed attempts. Let me know if you need pointers on getting systemd into syslog, it’s not as straight forward as it should be though most RHEL/CentOS systems ship with the necessary configs if you leave stock configs in place.

Hello, I’m coming back to this again this summer. I see that ondemand-dex logs failures to the /var/log/messages log. I would like to write a fail2ban rule for this, but it does not log the remote IP trying to login. Is there a way to get dex to output the IP that the failed login is coming from?

Here is an example log that I could match again, but again, I would need to know the remote host to be able to block it.
Aug 2 15:30:20 hpc-ondemand-dev ondemand-dex: time=“2021-08-02T19:30:20Z” level=error msg=“ldap: invalid password for user “uid=hpcguest,ou=People,dc=example,dc=com””

As a comparison, the Apache basic authentication failed login looks like this and contains the remote IP that fail2ban can use to create an iptables rule to temporarily block.
[Thu Jul 15 20:20:44.409544 2021] [auth_basic:error] [pid 10513] [client] AH01617: user hpcguest: authentication failure for “/pun/sys/dashboard”: Password Mismatch

Invalid credential logs come from here: dex/ldap.go at 766fc7ad990b51f656e03f03e157ba81da132552 · dexidp/dex · GitHub

Based on a quick pass of the code, they don’t appear to store the connecting information in that function.

The connection for LDAP is part of a Go interface used by all connectors: dex/connector.go at 766fc7ad990b51f656e03f03e157ba81da132552 · dexidp/dex · GitHub - so in order to even begin passing additional data to Login function, you’d have to update the interface and all connectors using that interface.

The idea of logging the ip address seems like a valid request, might try opening issue on Dex Github and see if maybe the developers can add this if you’re not familiar with Go.