3

I downloaded Firebird 2.5 from the official website and installed on a Linux machine. The install location is /opt/firebird.

I want to be able to view authentication attempt logs for security reasons (for example, to allow tools like fail2ban to detect and block possible brute force attacks).

However, for some reason, /opt/firebird/firebird.log does not log authentication failures. I also checked /var/log/syslog and did not find any Firebird log.

How do I configure Firebird 2.5 to log authentication attempts?

1 Answer 1

2

I managed to enable authentication failure logs (which is enough for using fail2ban).

Firebird 2.5 has a trace services feature which logs various server events, such as errors (which includes authentication errors).

You first have to edit /opt/firebird/fbtrace.conf and change the following lines:

...
# default database section
#
<database>
        # Do we trace database events or not
        enabled false
        #       ^^^^^ Change to true
...

And:

...
        # Put errors happened
        #log_errors false
       #^^^^^^^^^^^^^^^^^ Uncomment and change to true
...

After this, add the following line to /opt/firebird/firebird.conf:

AuditTraceConfigFile = /opt/firebird/fbtrace.conf

Then, you have to create the log file /opt/firebird/default_trace.log (which Firebird didn't automatically create for me) using:

touch /opt/firebird/default_trace.log

Then make sure all Firebird files have the correct owner and group:

chown -R firebird:firebird /opt/firebird

Then restart Firebird server using:

systemctl restart firebird

Now /opt/firebird/default_trace.log will log authentication errors.

This is a log line(s) example:

2022-10-28T16:31:11.7300 (1313:0x7fd691ca1cc0) ERROR AT jrd8_attach_database
        database_path (ATT_0, user, UTF8, TCPv4:XXX.XXX.XXX.XXX/[source port])
335544472 : Your user name and password are not defined. Ask your database administrator to set up a Firebird login.

Although unrelated to this question, here's my fail2ban configuration for Firebird 2.5:

/etc/fail2ban/filter.d/firebird.conf:

# Fail2Ban filter for unsuccesfull firebird authentication attempts

[Init]
maxlines = 3

[Definition]

datepattern = ^%%Y-%%m-%%dT%%H:%%M:%%S

failregex = ^.*ERROR.*\n.*TCPv4:<HOST>\/\d+\)\n\d+ : Your user name and password are not defined\. Ask your database administrator to set up a Firebird login\.$

ignoreregex =

/etc/fail2ban/jail.local:

[firebird]
enabled = true
filter = firebird
action = iptables[name=firebird, port="3050", protocol=tcp]
logpath = /opt/firebird/default_trace.log
maxretry = 5
findtime = 60
bantime = 86400

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.