Fail2ban, OOD and Dex?

Hi All,

I was trying to enable fail2ban on my OOD 2.0.18 instance using Dex and LDAP.

It looks like apache or httpd24 do not even log login failures , because these are now handled by Dex. The only place a failure gets logged is /var/log/messages :

Nov 2 09:04:30 Myserver ondemand-dex: time=“2021-11-02T14:04:30Z” level=error msg=“ldap: invalid password for us
er “uid=Myuid,ou=People,dc=myorg,dc=ca””

This log entry does not provide any IP info to ban, even if I somehow make a working filter for Dex LDAP issues.

Is there any way to make Dex more verbose, to record and display IPs? Or may be I am looking in a wrong direction and login errors with IPs can be found somewhere else?

Thanks!


Grigory Shamov,
University of Manitoba

It seems like apache would always be the referrer, but someone could be hitting your dex directly. @tdockendorf I know we’d talked about fail2ban policies applying to dex. What can be done here?

There was a similar question in another Discourse thread and unfortunately from looking at the Dex code the IP is not captured so can’t be logged. The place in Dex that handles authentication only has access to username and password: dex/ldap.go at 588910468a1e18241e26577fb0c2cf922eeb86b9 · dexidp/dex · GitHub

It would require code changes to Dex to capture the IP of the request and log it on login failure.

Also @jeff.ohrstrom when the username/password is evaluated the user is connected directly to Dex login page via Dex port so Apache is not actually involved since Apache just forwards the user information that redirects them to Dex, so it’s Dex the user is directly accessing during login. I am fairly certain that if you provide the wrong username/password Dex will not forward you back to mod_auth_openidc in Apache so I don’t think Apache has a way to know about the authentication failure.

What would be a possible workaround to prevent brute force scans?
Putting everything behind a reverse proxy (would that work with Dex?)?

A reverse proxy might work but only for brute force attacks that scan for invalid URLs and paths. The reverse proxy would have no way to know about authentication failures so that kind of brute force attack could not be stopped using a reverse proxy.

It might be worth opening an issue with Dex and asking for feature to log the IP address of authentication failures.

Putting Dex behind a reverse proxy is not something we’ve tested, so I can cannot say whether that will work. It might be possible but not sure if Dex has certain assumptions about being accessed by port 5554 or 5556 directly, ie it uses that information in OIDC information.