Fail2Ban with Admin plugin

Arthur · March 7, 2022, 7:37pm

Hello,

I would like to use fail2ban to block access to IPs that attempt too many time to log-in with wrong username/password. But I cannot find the logfile in which the failed log-in attempt is logged.
Can someone help me locate this logfile (or maybe enable it) ?

Best regards
Arthur

pamtbaau · March 8, 2022, 7:55am

@Arthur, I noticed folder /cache/login/login_attempts/ has been created which contains entries for each of my failed attempts. But I’m not sure about the meaning of all these entries or what conclusions you may draw from them.

If no one else here on the forum knows for sure, you might try the devs themselves at GitHub - getgrav/grav-plugin-login: Grav Login Plugin

Arthur · March 9, 2022, 4:46pm

Thank you @pamtbaau
I’ve contacted the developer teams and I will post here the results if I reach a solution.

Best regards

joejac · May 27, 2025, 3:28pm

Hello @Arthur did you find a way to jail the Grav Admin logins with Fail2Ban?
Unfortunately, there is no response to your Issue opened on Github on Mar 8, 2022

I would also like to protect the Grav login.
Thanks and regards
joejac

joejac · May 27, 2025, 5:13pm

Hello again @Arthur
I found in Grav documentation this feature:

"Brute force attacks are a popular choice for website intruders. It could come in the form of someone you know trying to guess your password over and over until they are finally successful or a bot flooding your site with login attempts until eventually the password has been discovered.

Grav’s flood protection (also known as rate limiting) feature makes these kinds of attacks exceptionally difficult. It allows you to set a number of failed login attempts within a specific amount of time before the account gets temporarily locked out. Additionally, you can restrict the amount of password reset requests applied to accounts before locking this feature out"
Flood Protection | Grav Documentation

In the Login plugin, in the Security tab, it has, by default:
5 login attempts
10 minutes lock after 5 failed login attempts.
These values are configurable.
I tested it and it works fine. I think this feature is enough, it resembles Fail2ban.

Hope this can help.
Regards.

Arthur · May 27, 2025, 8:06pm

Hello @joejac
Thank you for your answer, I didn’t pursue much further the attempts to protect grav admin login with Fail2Ban.
I also didn’t know about the flood protection integrated in the login plugin, but I’m really happy that it was there all this time (and thank you again for showing it to me).

Topic		Replies	Views
Prevent unauthorized Grav admin login attempts? Archive	0	619	April 20, 2017
Security question (breakdown?) Archive	2	430	May 20, 2016
Login redirects to login Archive	3	456	November 16, 2015
Security for Admin login? Lock after set number of tries admin	1	899	July 19, 2017
Access Denied in Admin Panel Archive	8	804	October 30, 2015

Fail2Ban with Admin plugin

Related topics