Logging of failed login attempts to the admin UI

[Weizenritter]

Hey, I wonder whether NPM logs failed (and successful) logins to the admin UI in some log-file. I started the container using the example docker-compose.yml:

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    # environment:
      # Uncomment this if you want to change the location of
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

Now when I login using wrong credentials I cannot find any logging of that. The only log files I can find in the container are the following, but they don't contain what I expect.

[root@docker-c6478b306f7f:/app]# find / -name "*.log"
/root/.npm/_logs/2024-02-28T22_11_17_837Z-debug-0.log
/root/.npm/_logs/2024-02-28T22_11_19_128Z-debug-0.log
/var/log/apt/history.log
/var/log/apt/term.log
/var/log/nginx/error.log
/var/log/dpkg.log
/var/log/alternatives.log
/data/logs/fallback_error.log
/data/logs/fallback_access.log

Can anyone help me find such a log file, or doesn't log those attempts?

[diggerydoo]

I have this exact same question. Any updates?

[tloehr]

Would it be very difficult to get a log file entry for failed login attempts in the next release ? I really like to set fail2ban to lock out malicious ip adresses.

[saddevil16]

I'd like to do that as well in future, but for the moment my workaround is just restricting access and allow localhost only to connect to NPM admin UI.

docker-compose.yml:

nginx_proxy_manager:
    image: 'jc21/nginx-proxy-manager:latest'
    ports:
      - '80:80'       # HTTP
      - '443:443'     # HTTPS
      - '127.0.0.1:81:81' # Admin UI restricted to localhost

When I need to modify it from outside, I'll open a ssh tunnel. eg: ssh user@ipserver -L 8080:127.0.0.1:81 & access through http://127.0.0.1:8080/

[tloehr]

What a good idea. Thanks for the advice. 👍

[michaeltroger]

I‘d also be interested in this. Same as @saddevil16 I had the idea to not publish the port for the Admin UI to the host.
Just to add: At least with the default config, the Admin port would even then still be reachable from within its Docker network(s). To prevent that I guess you would need to set up some firewall.

Anyhow my approach is slightly different and would create access logs for the most common use cases. Setup:

1. Run NPM image with default port settings (so publishing 81)
2. Go into the NPM Admin interface and bind the Admin interface Port (81) as Reverse Proxy npm.yourdomain.com -> http://localhost:81
3. Adapt the NPM compose.yml to not expose the port 81 as described above and recreate the image

Now you will get access logs like for any other reverse proxy added. You will only be able to reach the admin interface by npm.yourdomain.com. dockerhost:81 should be blocked. All traffic should show up in the logs with one exception: As mentioned in the first paragraph, theoretically the other docker containers being in the same Docker network as NPM could still bypass the proxy and access the Admin port directly. At least without further measures.