feat: Add security logger for fail2ban integration

- Security events logged to /var/log/nordabiznes/security.log - Failed login attempts include IP address - Format compatible with fail2ban filter
2026-01-14 21:07:09 +01:00 · 2026-01-14 21:07:09 +01:00 · b6c58c9312
commit b6c58c9312
parent af3ba43c89
1 changed files with 17 additions and 0 deletions
--- a/app.py
+++ b/app.py
@ -78,6 +78,19 @@ logging.getLogger().addHandler(debug_handler)

 logger = logging.getLogger(__name__)

+# Security logger for fail2ban integration
+# Logs to /var/log/nordabiznes/security.log in production
+security_logger = logging.getLogger('security')
+security_logger.setLevel(logging.WARNING)
+_security_log_path = '/var/log/nordabiznes/security.log'
+if os.path.exists('/var/log/nordabiznes'):
+    _security_handler = logging.FileHandler(_security_log_path)
+    _security_handler.setFormatter(logging.Formatter(
+        '%(asctime)s [%(levelname)s] %(message)s',
+        datefmt='%Y-%m-%d %H:%M:%S'
+    ))
+    security_logger.addHandler(_security_handler)
+
 # Import database models
 from database import (
    init_db,
@ -3863,7 +3876,11 @@ def login():
            user = db.query(User).filter_by(email=email).first()

            if not user or not check_password_hash(user.password_hash, password):
+                client_ip = request.headers.get('X-Forwarded-For', request.remote_addr)
+                if client_ip and ',' in client_ip:
+                    client_ip = client_ip.split(',')[0].strip()
                logger.warning(f"Failed login attempt for: {email}")
+                security_logger.warning(f"FAILED_LOGIN ip={client_ip} email={email}")
                flash('Nieprawidłowy email lub hasło.', 'error')
                return render_template('auth/login.html')