starred/qBittorrent

Fork 0

mirror of https://github.com/qbittorrent/qBittorrent.git synced 2026-03-02 22:57:32 -05:00

[Security Request] Fail2Ban Support #7920

New issue

Closed

opened 2026-02-21 19:14:45 -05:00 by deekerman · 6 comments

deekerman commented

2026-02-21 19:14:45 -05:00

Owner

Originally created by @zero77 on GitHub (Oct 15, 2018).

Can you please add support for fail2ban by, creating a log of failed logins with the IP address, date and time stamp.
Thanks

https://github.com/fail2ban/fail2ban

Basic requirements for log compatibility:
Also, perhaps just separate logs as I think this could decrease system load when analyzing.

a date-time when is failure occurred, better in the system time zone (fail2ban supports several date-time formats, but it can be also configured separately via datepattern parameter)

an unique identifier of the intruder (most the IP address, but if not IP-related it could be also an e-mail, or user, etc)

some message part that obviously identifies a failed attempt (like Authentication failed: invalid password)

As an example:

2018-09-30 23:05:55 WARN AUTH-ERROR: 192.0.2.1 - Authentication failed for user "tester": user unknown
2018-09-30 23:15:03 WARN AUTH-ERROR: 192.0.2.5 - Authentication failed for user "root": user disallowed
2018-09-30 23:18:05 WARN AUTH-ERROR: 192.0.2.8 - Authentication failed for user "admin": invalid password

Note the best practices also:

the unique characteristic of failure (here AUTH-ERROR) as well as the identifier (here IPs) as early as possible in the message (could be found faster and with fewer load during the search);

foreign data (user input), if needed to be logged, should be escaped (if possible) and/or placed at end of line (so the parser does not need to traverse this info to find all expected failure characteristics)

if possible write it into separate log-file (or log-file with few errors) or if logged into systemd-journal resp. rsyslog provide it with some unique marks (e. g. severity: warning/critical, facility: security/auth, etc), to make possible to use selectors (to avoid parasite "traffic" by searching of the failures).

Originally created by @zero77 on GitHub (Oct 15, 2018). Can you please add support for fail2ban by, creating a log of failed logins with the IP address, date and time stamp. Thanks https://github.com/fail2ban/fail2ban Basic requirements for log compatibility: Also, perhaps just separate logs as I think this could decrease system load when analyzing. > a date-time when is failure occurred, better in the system time zone (fail2ban supports several date-time formats, but it can be also configured separately via datepattern parameter) > an unique identifier of the intruder (most the IP address, but if not IP-related it could be also an e-mail, or user, etc) > some message part that obviously identifies a failed attempt (like Authentication failed: invalid password) > **As an example:** > 2018-09-30 23:05:55 WARN AUTH-ERROR: 192.0.2.1 - Authentication failed for user "tester": user unknown > 2018-09-30 23:15:03 WARN AUTH-ERROR: 192.0.2.5 - Authentication failed for user "root": user disallowed > 2018-09-30 23:18:05 WARN AUTH-ERROR: 192.0.2.8 - Authentication failed for user "admin": invalid password > **Note the best practices also:** > the unique characteristic of failure (here AUTH-ERROR) as well as the identifier (here IPs) as early as possible in the message (could be found faster and with fewer load during the search); > foreign data (user input), if needed to be logged, should be escaped (if possible) and/or placed at end of line (so the parser does not need to traverse this info to find all expected failure characteristics) > if possible write it into separate log-file (or log-file with few errors) or if logged into systemd-journal resp. rsyslog provide it with some unique marks (e. g. severity: warning/critical, facility: security/auth, etc), to make possible to use selectors (to avoid parasite "traffic" by searching of the failures).

deekerman

2026-02-21 19:14:45 -05:00

closed this issue
added the
Feature request

Feature
labels

deekerman commented

2026-02-21 19:14:50 -05:00

Author

Owner

@boredomdenied commented on GitHub (Oct 27, 2018):

I would very much like this as well

@boredomdenied commented on GitHub (Oct 27, 2018): I would very much like this as well

deekerman commented

2026-02-21 19:14:52 -05:00

Author

Owner

@Chocobo1 commented on GitHub (Oct 27, 2018):

@zero77
IMO it doesn't make sense for qbt to support other log format, also I suspect it would be much eaiser the other way around (fail2ban to support qbt log format), they support writing custom filters: https://fail2ban.readthedocs.io/en/latest/filters.html

@Chocobo1 commented on GitHub (Oct 27, 2018): @zero77 IMO it doesn't make sense for qbt to support other log format, also I suspect it would be much eaiser the other way around (fail2ban to support qbt log format), they support writing custom filters: https://fail2ban.readthedocs.io/en/latest/filters.html

deekerman commented

2026-02-21 19:14:52 -05:00

Author

Owner

@Piccirello commented on GitHub (Oct 28, 2018):

All we'd need to do is log some additional information on auth failures- the fail2ban custom filter would take care of the rest. I want to look into this further, but very short on time right now. Will try to make time if no one else picks it up.

@Piccirello commented on GitHub (Oct 28, 2018): All we'd need to do is log some additional information on auth failures- the fail2ban custom filter would take care of the rest. I want to look into this further, but very short on time right now. Will try to make time if no one else picks it up.

deekerman commented

2026-02-21 19:14:52 -05:00

Author

Owner

@aorith commented on GitHub (Jan 29, 2020):

This regex seems to work fine but only if you use a reverse proxy with nginx to connect to qbittorrent:

failregex = ^<HOST> - -.*POST /qbt/api/v2/auth/login HTTP/1.1" 200 6 "

Failed login prints 200 6, successful login 200 3

@aorith commented on GitHub (Jan 29, 2020): This regex seems to work fine but only if you use a reverse proxy with nginx to connect to qbittorrent: `failregex = ^<HOST> - -.*POST /qbt/api/v2/auth/login HTTP/1.1" 200 6 "` Failed login prints 200 6, successful login 200 3

deekerman commented

2026-02-21 19:14:52 -05:00

Author

Owner

@Feriman22 commented on GitHub (Jan 4, 2023):

@aorith, could you tell me where is the log file located for this one? Thx!

@Feriman22 commented on GitHub (Jan 4, 2023): @aorith, could you tell me where is the log file located for this one? Thx!

deekerman commented

2026-02-21 19:14:52 -05:00

Author

Owner

@aorith commented on GitHub (Jan 4, 2023):

@aorith, could you tell me where is the log file located for this one? Thx!

The log is wherever you want, it's the log from nginx, see: http://nginx.org/en/docs/http/ngx_http_log_module.html

It's a common practice to reverse proxy local services (for TLS termination, etc), see: https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI

The fail2ban custom regex that I posted reads the nginx log file trying to find that pattern, it's a very weak check that worked fine for me, it just checks the bytes from the default nginx logging format, which is:

log_format combined '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

So it's the field $body_bytes_sent, and it was 6 when a login failed.

It's been a long time and I'm not using qbittorrent at this moment, so maybe they've changed the status code from 200 to 401 already which should make things easier...

@aorith commented on GitHub (Jan 4, 2023): > @aorith, could you tell me where is the log file located for this one? Thx! The log is wherever you want, it's the log from nginx, see: http://nginx.org/en/docs/http/ngx_http_log_module.html It's a common practice to reverse proxy local services (for TLS termination, etc), see: https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI The fail2ban custom regex that I posted reads the nginx log file trying to find that pattern, it's a very weak check that worked fine for me, it just checks the bytes from the default nginx logging format, which is: ``` log_format combined '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; ``` So it's the field `$body_bytes_sent`, and it was 6 when a login failed. It's been a long time and I'm not using qbittorrent at this moment, so maybe they've changed the status code from 200 to 401 already which should make things easier...

deekerman referenced this issue

2026-02-21 20:37:44 -05:00

Impossible speed in Speed graphs #10206

deekerman referenced this issue

2026-02-21 20:52:12 -05:00

Download speed is incorrect #10611