mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16259 Commits
17 Branches
Tree: 476b9d1589
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '476b9d1589'
${ noResults }
gitea/docs/content/administration/fail2ban-setup.zh-cn.md

fail2ban-setup.zh-cn.md 3.3KB
Raw Normal View History

docs: zh-cn translations for fail2ban setup (#20588) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
1 year ago
Adjust some documentations titles (#23941) As title.
1 year ago
docs: zh-cn translations for fail2ban setup (#20588) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
1 year ago
Docusaurus-ify (#26051) This PR cleans up the docs in a way to make them simpler to ingest by our [docs repo](https://gitea.com/gitea/gitea-docusaurus). 1. It includes all of the sed invocations our ingestion did, removing the need to do it at build time. 2. It replaces the shortcode variable replacement method with `@variable@` style, simply for easier sed invocations when required. 3. It removes unused files and moves the docs up a level as cleanup. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com>
10 months ago
docs: zh-cn translations for fail2ban setup (#20588) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
1 year ago
Refactor docs (#23752) This was intended to be a small followup for https://github.com/go-gitea/gitea/pull/23712, but...here we are. 1. Our docs currently use `slug` as the entire URL, which makes refactoring tricky (see https://github.com/go-gitea/gitea/pull/23712). Instead, this PR attempts to make future refactoring easier by using slugs as an extension of the section. (Hugo terminology) - What the above boils down to is this PR attempts to use directory organization as URL management. e.g. `usage/comparison.en-us.md` -> `en-us/usage/comparison/`, `usage/packages/overview.en-us.md` -> `en-us/usage/packages/overview/` - Technically we could even remove `slug`, as Hugo defaults to using filename, however at least with this PR it means `slug` only needs to be the name for the **current file** rather than an entire URL 2. This PR adds appropriate aliases (redirects) for pages, so anything on the internet that links to our docs should hopefully not break. 3. A minor nit I've had for a while, renaming `seek-help` to `support`. It's a minor thing, but `seek-help` has a strange connotation to it. 4. The commits are split such that you can review the first which is the "actual" change, and the second is added redirects so that the first doesn't break links elsewhere. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com>
1 year ago
docs: zh-cn translations for fail2ban setup (#20588) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
1 year ago
Restructure documentation. Now the documentation has installation, administration, usage, development, contributing the 5 main parts (#23629) - **Installation**: includes how to install Gitea and related other tools, also includes upgrade Gitea - **Administration**: includes how to configure Gitea, customize Gitea and manage Gitea instance out of Gitea admin UI - **Usage**: includes how to use Gitea's functionalities. A sub documentation is about packages, in future we could also include CI/CD and others. - **Development**: includes how to integrate with Gitea's API, how to develop new features within Gitea - **Contributing**: includes how to contribute code to Gitea repositories. After this is merged, I think we can have a sub-documentation of `Usage` part named `Actions` to describe how to use Gitea actions --------- Co-authored-by: John Olheiser <john.olheiser@gmail.com>
1 year ago
docs: zh-cn translations for fail2ban setup (#20588) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
1 year ago
Docusaurus-ify (#26051) This PR cleans up the docs in a way to make them simpler to ingest by our [docs repo](https://gitea.com/gitea/gitea-docusaurus). 1. It includes all of the sed invocations our ingestion did, removing the need to do it at build time. 2. It replaces the shortcode variable replacement method with `@variable@` style, simply for easier sed invocations when required. 3. It removes unused files and moves the docs up a level as cleanup. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com>
10 months ago
docs: zh-cn translations for fail2ban setup (#20588) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
1 year ago
Use docs.gitea.com instead of docs.gitea.io (#26739)
9 months ago
 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 
  1. ---

  2. date: "2022-08-01T00:00:00+00:00"

  3. title: "设置 Fail2ban"

  4. slug: "fail2ban-setup"

  5. sidebar_position: 16

  6. toc: false

  7. draft: false

  8. aliases:

  9.   - /zh-cn/fail2ban-setup

  10. menu:

  11.   sidebar:

  12.     parent: "administration"

  13.     name: "设置 Fail2ban"

  14.     sidebar_position: 16

  15.     identifier: "fail2ban-setup"

  16. ---

  17. 

  18. # 使用 Fail2ban 阻止攻击者的暴力登录

  19. 

  20. **Fail2ban 检查客户端登录日志,将多次登录失败的客户端识别为攻击者并在一段时间内阻止其访问服务。如果你的实例是公开的,这一点尤其重要。请管理员仔细设置 fail2ban,错误的配置将导致防火墙阻止你访问自己的服务器。**

  21. 

  22. Gitea 会在日志文件 `log/gitea.log` 中记录登录失败的 CLI、SSH 或 HTTP 客户端 IP 地址,而你需要将 Gitea 的日志输出模式从默认的 `console` 更改为 `file`。这表示将日志输出到文件,使得 fail2ban 可以定期扫描日志内容。

  23. 

  24. 当用户的身份验证失败时,日志中会记录此类信息:

  25. 

  26. ```log

  27. 2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx

  28. ```

  29. 

  30. ```log

  31. 2020/10/15 16:08:44 [E] invalid credentials from xxx.xxx.xxx.xxx

  32. ```

  33. 

  34. ## 设置 Fail2ban

  35. 

  36. 添加日志过滤器规则到配置文件 `/etc/fail2ban/filter.d/gitea.conf`:

  37. 

  38. ```ini

  39. [Definition]

  40. failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>

  41. ignoreregex =

  42. ```

  43. 

  44. 添加监狱规则到配置文件 `/etc/fail2ban/jail.d/gitea.conf`:

  45. 

  46. ```ini

  47. [gitea]

  48. enabled = true

  49. filter = gitea

  50. logpath = /var/lib/gitea/log/gitea.log

  51. maxretry = 10

  52. findtime = 3600

  53. bantime = 900

  54. action = iptables-allports

  55. ```

  56. 

  57. 如果你的 Gitea 实例运行在 Docker 容器中,并且直接将容器端口暴露到外部网络,

  58. 你还需要添加 `chain="FORWARD"` 到监狱规则配置文件 `/etc/fail2ban/jail.d/gitea-docker.conf`

  59. 以适应 Docker 的网络转发规则。但如果你在容器的宿主机上使用 Nginx 反向代理连接到 Gitea 则无需这样配置。

  60. 

  61. ```ini

  62. [gitea-docker]

  63. enabled = true

  64. filter = gitea

  65. logpath = /var/lib/gitea/log/gitea.log

  66. maxretry = 10

  67. findtime = 3600

  68. bantime = 900

  69. action = iptables-allports[chain="FORWARD"]

  70. ```

  71. 

  72. 最后,运行 `systemctl restart fail2ban` 即可应用更改。现在,你可以使用 `systemctl status fail2ban` 检查 fail2ban 运行状态。

  73. 

  74. 上述规则规定客户端在 1 小时内,如果登录失败的次数达到 10 次,则通过 iptables 锁定该客户端 IP 地址 15 分钟。

  75. 

  76. ## 设置反向代理

  77. 

  78. 如果你使用 Nginx 反向代理到 Gitea 实例,你还需要设置 Nginx 的 HTTP 头部值 `X-Real-IP` 将真实的客户端 IP 地址传递给 Gitea。否则 Gitea 程序会将客户端地址错误解析为反向代理服务器的地址,例如回环地址 `127.0.0.1`。

  79. 

  80. ```

  81. proxy_set_header X-Real-IP $remote_addr;

  82. ```

  83. 

  84. 额外注意,在 Gitea 的配置文件 `app.ini` 中存在下列默认值:

  85. 

  86. ```

  87. REVERSE_PROXY_LIMIT = 1

  88. REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128

  89. ```

  90. 

  91. `REVERSE_PROXY_LIMIT` 限制反向代理服务器的层数,设置为 `0` 表示不使用这些标头。

  92. `REVERSE_PROXY_TRUSTED_PROXIES` 表示受信任的反向代理服务器网络地址,

  93. 经过该网络地址转发来的流量会经过解析 `X-Real-IP` 头部得到真实客户端地址。

  94. (参考 [configuration cheat sheet](administration/config-cheat-sheet.md#security-security))