Config+Auth: Add flags to log unauthorized requests

[networkException]

What is the purpose of this change? What does it change?

Currently it is not possible to integrate rest-server into a service like fail2ban
which prevents brute force login attempts.

This pull request adds new command line flags in order to support logging of
unauthorized requests to the server. The flag --log-auth-failure enables
the logging and uses the remote address of the request as the default for
the logged ip. If the server is used behind a reverse proxy for, --header-for-ip
can be used to specify a header like "X-Forwarded-For" to be used for logging
the ip.

Was the change discussed in an issue or in the forum before?

There was a forum question about fail2ban without an actual solution: https://forum.restic.net/t/rest-server-and-fail2ban/2569

Checklist

• I have enabled maintainer edits for this PR
• I have added tests for all changes in this PR: Unsure where to implement tests
• I have added documentation for the changes (in the manual): Documentation has been added to the readme
• There's a new file in changelog/unreleased/ that describes the changes for our users (template here)
• I have run gofmt on the code in all commits
• All commit messages are formatted in the same style as the other commits in the repo: Unsure, commit style inconsistent
• I'm done, this Pull Request is ready for review

[rawtaz]

Thanks for your contribution. I'm however thinking that instead of having a separate flag to turn this feature on, it's better with sane defaults and if needed a way to specify different verbosity in the regular log. The latter could also be used for other things, and we already use that type of thing in restic (the --verbose option). In other words, instead of adding flags for every thing we want loggable, better to put them in the right verbosity level and use that.

It's unfortunate that we're using -v for --version, it would be better if --version would be its own command instead, like in restic, as opposed to an option. This can be changed though, it's not like a ton of people are depending on the -v option..

I'm also pondering if the --header-for-ip shouldn't be renamed --ip-header or possibly --header-ip.

[networkException]

I'm not familiar enough with the codebase to refactor the whole logging system to respond to verbosity levels I fear.

As for the flag --ip-header sounds alright, I will change that

[mozlima]

By default, log at least the '401 Unauthorized' error so that we can take automatic action on the server. Currently, there is no way to do this, and it poses a security risk.

[saviodsouza]

Hi

With rest-server 13.0 the following filter and jail works.

/etc/fail2ban/filter.d/rest-server.conf

# Fail2Ban configuration file
#
# Regexp to stop unauthorized access to rest-server


[Definition]

failregex = ^<HOST> - - \[.*?\] "HEAD /config HTTP/1\.1" 401 \d+ "" "Go-http-client/1\.1"

ignoreregex =

datepattern =  ^[^\[]*\[(Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?)
              {^LN-BEG}


# DEV Notes:
#
# Tested on Rest-Server version 13.0
# Generated on Tue Sep  17 2024
#
# Author: Savio D'souza

/etc/fail2ban/jail.d/rest-server.conf

# service name
[rest-server]
# turn on /off
enabled  = true
# ports to ban (numeric or text)
port     = 8000,8001
# filter from previous step
filter   = rest-server
# file to parse
logpath  = /mnt/rest-server/backups/rest.log
# ban rule:
# 5 times on 1 minute
maxretry = 5
findtime = 60
# ban on 10 minutes
bantime = 600