New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NEW] Log authentication failures with client address #334
Comments
Printing logs is a relatively cautious operation, and this proposal has a point to consider: how to determine the information that logs should record. If there are a large number of illegal requests, there may be a large number of logs, which will ultimately affect server storage. In practical scenarios, a service is generally required to regularly read ACL LOG to record relevant information. |
One approach to prevent flooding the log files is to rate-limit such logs. The idea is similar to Line 3687 in 7809df0
ACL LOG has a size limit ( In my opinion recording the auth failure events in server logs and ACL LOG serve for different purposes, and we can have both. Server logs can be used for automated monitoring and auditing on potential malicious events, while ACL LOG can be used for getting more details when such malicious events are detected. |
@sonicloong, have you considered implementing a metric-based approach instead? I see a couple of issues with relying heavily on logging:
Here's what I suggest for a metric-based system, outlined at a high level:
This approach would provide a more structured and manageable way to monitor security-related events without overwhelming the system with log data. |
@PingXie Great suggestions. I think what you proposed would provide useful insights in addition to what ACL LOG provides today, and I'd be happy to introduce a new ACL subcommand for doing that. What I'd also like to propose is the option for writing auth event logs to disk for auditing purposes, in case the in-memory stats are reset by someone who manages to be authenticated to an admin user, or wiped out when the server is shut down. It would be great if Valkey can support certain level of audit logging, as many databases offer today. Agree that structured logging would make logs easier to analyze. As for the DDoS concern, I believe it can be resolved by applying rate limiting on logging (there's an example I referred to in my previous comment), or only logging the first occurrence of identical events, keyed on (event type, client address). To address the concerns, I think following are some requirements if Valkey plans to provide audit logging:
Server admins can then build monitoring service that watches audit log file changes and take actions. |
The problem/use-case that the feature addresses
Failed password authentications could indicate there might be a client that used trial-and-error to guess the Redis password. Having logs with the client address for authentication failure events would help the server admin to detect if the client is potentially an attacker.
Description of the feature
Log authentication failures with client address.
Alternatives you've considered
ACL LOG provides recent ACL security events, including authentication failures. However these events will be lost when the Redis server crashes or is shut down. Also there are ways to push those events out or reset them. So having the events in server logs would be a better option for auditing purposes.
Additional information
Happy to submit a PR if this request makes sense.
The text was updated successfully, but these errors were encountered: