Skip to content

feat: add auth reject logging for fail2ban integration#9

Closed
jozefrebjak wants to merge 2 commits intodevelopfrom
feat/auth-reject-log
Closed

feat: add auth reject logging for fail2ban integration#9
jozefrebjak wants to merge 2 commits intodevelopfrom
feat/auth-reject-log

Conversation

@jozefrebjak
Copy link
Copy Markdown
Contributor

@jozefrebjak jozefrebjak commented Apr 2, 2026

Summary

  • Add AUTH_REJECT_LOG env var that enables logging Access-Reject events to /var/log/freeradius/auth-reject.log
  • Uses FreeRADIUS linelog module in Post-Auth-Type REJECT section
  • Only logs when Calling-Station-Id is present (skips internal requests without client IP)
  • Optional AUTH_REJECT_LOG_PATH to customize log file location

Log format

2026-04-02 10:06:44 : Auth-Reject : user=admin calling-station-id=1.2.3.4 called-station-id=10.0.0.1

Usage

AUTH_REJECT_LOG: "true"
# Optional: AUTH_REJECT_LOG_PATH: "/var/log/freeradius/auth-reject.log"

Mount log directory for fail2ban access:

volumes:
  - /var/log/freeradius:/var/log/freeradius

Test plan

  • Container starts with AUTH_REJECT_LOG=true
  • Access-Reject with Calling-Station-Id is logged
  • Access-Reject without Calling-Station-Id is NOT logged
  • Log format is parseable by fail2ban
  • Restart does not create duplicate entries in site config

Closes #8

@jozefrebjak
feat: add auth reject logging for fail2ban integration
fe3138b 
Add AUTH_REJECT_LOG env var that enables logging of Access-Reject events
to a file using the FreeRADIUS linelog module. Only logs entries where
Calling-Station-Id is present (skip internal/empty requests).

Log format: timestamp : Auth-Reject : user=X calling-station-id=X called-station-id=X

The log file can be mounted and consumed by fail2ban on the host VM
to block brute force attackers via iptables/nftables.

Closes #8
@github-actions github-actions Bot added the enhancement Enhancements ⬆️ label Apr 2, 2026
@jozefrebjak
docs: add auth reject logging and extended post-auth documentation
9a41a4d 
Update README with AUTH_REJECT_LOG feature documentation including
Docker Swarm setup, fail2ban filter/jail configuration, and Prometheus
monitoring via fail2ban-exporter. Also update Custom Post-Auth Queries
section with EXTENDED option documentation.
@github-actions github-actions Bot added the chore label Apr 2, 2026
@jozefrebjak
Copy link
Copy Markdown
Contributor Author

jozefrebjak commented Apr 2, 2026

Closing - fail2ban on VM cannot block Calling-Station-Id since traffic comes from NAS, not directly from attacker. Need to block at ASA level instead.

@jozefrebjak jozefrebjak closed this Apr 2, 2026
@jozefrebjak jozefrebjak deleted the feat/auth-reject-log branch April 2, 2026 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

chore enhancement Enhancements ⬆️

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: add auth reject log for fail2ban integration

1 participant

@jozefrebjak