Security: Brute force attacks on the login form

[holzhannes]

Does Paperless have any precautions against brute force attacks on the login form?
I could not observe any security mechanisms like a login delay so far.

[jonaswinkler]

The Django framework doesn't have any built-in rate limiting on login requests. However, I believe that you can easily set that up with your nginx / apache proxy server.

[holzhannes]

Ok good point. I had a look at it. If I see it right a failed login is logged with a POST and status code 200 for the URL "/accounts/login/", a successful login with a POST and status code 302 for the URL "/accounts/login/"

Here is an example log of a failed login:

IP-ADDRESS - - [19/Mar/2021:14:06:11 +0100] "POST /accounts/login/ HTTP/2.0" 200 787 "https://paperless.example.com/accounts/login/" "Mozilla/5.0 (DEVICE) ... Firefox/86.0"

To use it with Fail2Ban create a file /etc/fail2ban/filter.d/paperless.conf with the following config:

[Definition]
failregex = <HOST>.*] \"POST *\/accounts\/login\/.* HTTP.* 200 .*$
ignoreregex =

After creating this config file you can use it within a jail. The following jail will use the filter config paperless and block tcp traffic from the "attacking" IP address after 5 failed login attempts to port 80 and 443 for 600 seconds.

[Paperless]
enabled = true
filter = paperless
action = iptables-multiport[name="paperless", port="80,443", protocol="tcp"]
logpath = /var/www/vhosts/paperless.example.de/logs/proxy_access_ssl_log
bantime = 600
maxretry = 5

Maybe this short notes help someone. Feel free to improve or correct my "solution".

If you use paperless-ng on NAS like Synology maybe have a look at docker-fail2ban-synology.