forked from Shiloh/githaven
980b0df829
Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net>
101 lines
2.9 KiB
Markdown
101 lines
2.9 KiB
Markdown
---
|
|
date: "2018-05-11T11:00:00+02:00"
|
|
title: "Usage: Setup fail2ban"
|
|
slug: "fail2ban-setup"
|
|
weight: 16
|
|
toc: false
|
|
draft: false
|
|
menu:
|
|
sidebar:
|
|
parent: "usage"
|
|
name: "Fail2ban setup"
|
|
weight: 16
|
|
identifier: "fail2ban-setup"
|
|
---
|
|
|
|
# Fail2ban setup to block users after failed login attempts
|
|
|
|
**Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make
|
|
sure to test this before relying on it so you don't lock yourself out.**
|
|
|
|
Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in
|
|
`app.ini`, then you should be able to go off of `log/gitea.log`, which gives you something like this
|
|
on a bad authentication from the web or CLI using SSH or HTTP respectively:
|
|
|
|
```log
|
|
2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
|
|
```
|
|
|
|
```log
|
|
2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
|
|
```
|
|
|
|
```log
|
|
2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
|
|
```
|
|
|
|
```log
|
|
2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
|
|
```
|
|
|
|
```log
|
|
2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
|
|
```
|
|
|
|
```log
|
|
2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
|
|
```
|
|
|
|
```log
|
|
2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
|
|
```
|
|
|
|
Add our filter in `/etc/fail2ban/filter.d/gitea.conf`:
|
|
|
|
```ini
|
|
# gitea.conf
|
|
[Definition]
|
|
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
|
ignoreregex =
|
|
```
|
|
|
|
Add our jail in `/etc/fail2ban/jail.d/gitea.conf`:
|
|
|
|
```ini
|
|
[gitea]
|
|
enabled = true
|
|
filter = gitea
|
|
logpath = /var/lib/gitea/log/gitea.log
|
|
maxretry = 10
|
|
findtime = 3600
|
|
bantime = 900
|
|
action = iptables-allports
|
|
```
|
|
|
|
If you're using Docker, you'll also need to add an additional jail to handle the **FORWARD**
|
|
chain in **iptables**. Configure it in `/etc/fail2ban/jail.d/gitea-docker.conf`:
|
|
|
|
```ini
|
|
[gitea-docker]
|
|
enabled = true
|
|
filter = gitea
|
|
logpath = /home/git/gitea/log/gitea.log
|
|
maxretry = 10
|
|
findtime = 3600
|
|
bantime = 900
|
|
action = iptables-allports[chain="FORWARD"]
|
|
```
|
|
|
|
Then simply run `service fail2ban restart` to apply your changes. You can check to see if
|
|
fail2ban has accepted your configuration using `service fail2ban status`.
|
|
|
|
Make sure and read up on fail2ban and configure it to your needs, this bans someone
|
|
for **15 minutes** (from all ports) when they fail authentication 10 times in an hour.
|
|
|
|
If you run Gitea behind a reverse proxy with Nginx (for example with Docker), you need to add
|
|
this to your Nginx configuration so that IPs don't show up as 127.0.0.1:
|
|
|
|
```
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
```
|