„Lockdown Mode“ for more security

[lukaslindnermusic]

Context: I have immich installed on a NAS in my local network and the proxy lives on my VPS where also other public services are running. I manage that VPS only through a VPN connection, and the proxy also utilizes this VPN to connect back to my NAS (only the port for immich is allowed).

Currently, I think every theoretically valid link gets sent to the api to check if it exists.
That way, it is theoretically possible to spam the immich host device with requests through the proxy by just using a random string.

I personally would prefer that the proxy contacts the immich host only if absolutely necessary... aka I would prefer it if the proxy knows in advance which shared links are currently active, matches the request against that list of links and only calls the immich instance when there is a match.

I think that this could be implemented by using a simple txt file in the docker compose directory that gets binded to the container in the same way as the custom config does. The txt file then would contain the random link token, one on each line.

Of course, this requires the additional step to update this list if you share something new or remove something, but you can also automate this in various ways (for example with bash scripts that are called via an Apple Shortcut or something).
But as this additional security layer requires an additional step when sharing a new link through Immich, I would make it optional and disabled by default. So you could set up a flag for "lockdown_mode" (or however you wanna call it) in the config that needs to be set to true (and also obviously the binding of the list has to exist).

What are your thoughts on this? I think it would be easily implemented and a good improvement if you really care about exposing only the absolutely necessary stuff.

[alangrainger]

Someone doing what they shouldn't be doing will generate a lot of 4xx errors, so I think it would be easier and more robust to use an existing solution like Fail2Ban to block that traffic.

That way you can completely customise the blocking / timeframe / limits / etc.

it would bea good improvement if you really care about exposing only the absolutely necessary stuff.

The "Lockdown mode" proposal would still expose the same amount of information as the existing solution (i.e. that there is nothing at a random string link). And using something like Fail2Ban will mitigate any risk of spam to the Immich host.

[lukaslindnermusic]

ah yeah, utilizing fail2ban is a good idea.

Do you already have a custom jail set up for this?
If no, I might try something later and upload it as a resource for others 👍

you're right. it would not "expose" any info directly.

[alangrainger]

No I don't sorry - but if you would like to document it, I would love to add that to the docs for others to benefit from.

[lukaslindnermusic]

Ok, it was not that big of a deal.
In addition to the 404 jail for spamming prevention, I also added a jail for too many login attempts with password protected links.

I added these jails to /etc/fail2ban/jail.local to ban for 4 weeks:

# Block ips that get five 404 responses with immich public proxy within an hour
[photos-vhost-404]
enabled  = true
port     = http,https
filter   = photos-vhost-404
logpath  = /var/log/apache2/photos_access.log
maxretry = 5
findtime = 3600
bantime  = 2419200
action   = iptables-ipset-proto6[name=apache-custom, port="http,https", protocol=tcp, bantime=2419200]

# Block ips that get ten 401 errors with immich public proxy within an hour 
[photos-vhost-401]
enabled  = true
port     = http,https
filter   = photos-vhost-401
logpath  = /var/log/apache2/photos_access.log
maxretry = 10
findtime = 3600
bantime  = 2419200
action   = iptables-ipset-proto6[name=apache-custom, port="http,https", protocol=tcp, bantime=2419200]

And here are the filters... I am using apache with the vhost_combined log format, so I added my vhost at the beginning of the regex. This should be removed when the vhost is not part of the log:
/etc/fail2ban/filter.d/photos-vhost-401.conf:

[Definition]
failregex = ^photos\.domain\.tld:443 <HOST> - - \[.*\] ".*" 401 .*
ignoreregex =

/etc/fail2ban/filter.d/photos-vhost-404.conf:

[Definition]
failregex = ^photos\.domain\.tld:443 <HOST> - - \[.*\] ".*" 404 .*
ignoreregex =

This is now while using this on my apache vhost:

# Ensure Apache intercepts proxy errors
    ProxyErrorOverride On

    # ErrorDocument directives
    ErrorDocument 401 /path/to/custom/401.html
    ErrorDocument 404 'This is my 404 page'

Apache did not log 404 errors when I used ErrorDocument 404 https://other.domain.tld/404, instead it obviously became a Redirect.
So I guess, this will also stop working when the auto redirect in the config (for which there currently is a pull request) is set to something, but then you can adjust the regex to match your Redirect.