Monitoring Web GUI Login Failures

Problem/Justification
While it is possible to receive email notifications of failed SSH login attempts, from a security monitoring (of hacking attempts) perspective, it would be great to also have the option of being notified by email if n (let’s say, for example, 3) login attempts failed in a row from a specific IP. Something like fail2ban for WebGUI access would be awesome, but just an email would work well too. This would give more confidence about TrueNAS’s security posture (by alerting to potential hacking attempts).

Impact
Will give enterprise as well as home users confidence that no bad actor is trying to access their TrueNAS/data via the WebGUI (SSH is already monitored). If such an email is received, then the user will be aware that their TrueNAS system is being targeted and can work on resolving the cause prior to TrueNAS being penetrated.

While SMB/NFS ransomware can be remedied via reverting snapshots, if an attacker gains WebGUI or SSH access – it is game over.

User Story
Interested enterprise and home users can sleep just a little easier knowing that if a bad actor was somehow able to start targeting their TrueNAS data for ransom or deletion via the WebGUI, they would be made aware of it.

Even management networks can be compromised if a management node is compromised, TrueNAS data is too important to risk.

(If someone has found an alternate means of accomplishing this, would really appreciate a hint in the right direction – past forum posts suggest this is not yet implemented.)

Have you looked at audit logs?

Thanks – Audit Logs are indeed a superb feature.

Does it sound like a cron job could theoretically be set up to parse the log for failed authentications (and somehow hook into the email feature)?

Is there a recommended avenue to set this up to survive upgrades?

Starting in Electric Eel we generate a nightly alert with a list of failed login attempts via API / UI just like we do with SSH. This goes out through normal alert mechanisms (e.g. email, pagerduty, etc).

The alert provides list of IP addresses, attempted usernames, and session IDs. The session IDs can be used to track down additional information about the login attempt if needed.

NOTE: this is not in BETA1, but will be in RC1.

3 Likes

Fantastic! Looking forward to Electric Eel RC and Release.

Thank you to the iX team!