mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13586 Commits
17 Branches
Tree: ae52df6a64
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ae52df6a64'
${ noResults }
gitea/docs/content/doc/usage/fail2ban-setup.en-us.md

fail2ban-setup.en-us.md 4.1KB
Raw Normal View History

Added docs for configuring fail2ban (#3949)
6 years ago
Reformat docs (#13897) Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv>
3 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Fix typo in doc (#8914) Fix typo in doc fail2ban-setup.md
4 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure
3 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure
3 years ago
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de>
3 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net>
3 years ago
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed.
1 year ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net>
2 years ago
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net>
3 years ago
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed.
1 year ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net>
2 years ago
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net>
3 years ago
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de>
3 years ago
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net>
3 years ago
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de>
3 years ago
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed.
1 year ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net>
2 years ago
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net>
3 years ago
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed.
1 year ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net>
2 years ago
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net>
3 years ago
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed.
1 year ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net>
2 years ago
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed.
1 year ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net>
2 years ago
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net>
3 years ago
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de>
3 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Docs: Added instructions for Docker fail2ban configuration. (#8642)
4 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de>
3 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Docs: Added instructions for Docker fail2ban configuration. (#8642)
4 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure
3 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure
3 years ago
Docs: Added instructions for Docker fail2ban configuration. (#8642)
4 years ago
Fixed log path in fail2ban documentation (#19103) This updates the log path in the [gitea-docker] jail configuration to match the path in the [gitea] jail, which was updated in #13726.
2 years ago
Docs: Added instructions for Docker fail2ban configuration. (#8642)
4 years ago
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure
3 years ago
Docs: Added instructions for Docker fail2ban configuration. (#8642)
4 years ago
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure
3 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Copyedit docs (#6275)
5 years ago
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure
3 years ago
Added docs for configuring fail2ban (#3949)
6 years ago
Extend the fail2ban instructions with a hint on how to make X-Real-IP… (#16446) Following the merging of #14959 - Gitea is a lot more strict regarding the interpretation of `X-Real-IP` and `X-Forwarded-For` headers. This PR updates the fail2ban documentation to include hints to set: `REVERSE_PROXY_TRUSTED_PROXIES` and `REVERSE_PROXY_LIMIT` appropriately. See discussion in #16443 Co-authored-by: zeripath <art27@cantab.net>
2 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. ---

  2. date: "2018-05-11T11:00:00+02:00"

  3. title: "Usage: Setup fail2ban"

  4. slug: "fail2ban-setup"

  5. weight: 16

  6. toc: false

  7. draft: false

  8. menu:

  9.   sidebar:

  10.     parent: "usage"

  11.     name: "Fail2ban setup"

  12.     weight: 16

  13.     identifier: "fail2ban-setup"

  14. ---

  15. 

  16. # Fail2ban setup to block users after failed login attempts

  17. 

  18. **Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make

  19. sure to test this before relying on it so you don't lock yourself out.**

  20. 

  21. Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in

  22. `app.ini`, then you should be able to go off of `log/gitea.log`, which gives you something like this

  23. on a bad authentication from the web or CLI using SSH or HTTP respectively:

  24. 

  25. ```log

  26. 2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx

  27. ```

  28. 

  29. ```log

  30. 2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx

  31. ```

  32. 

  33. (DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

  34. 

  35. ```log

  36. 2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx

  37. ```

  38. 

  39. (DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

  40. 

  41. ```log

  42. 2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx

  43. ```

  44. 

  45. (DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

  46. 

  47. ```log

  48. 2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx

  49. ```

  50. 

  51. (DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

  52. 

  53. ```log

  54. 2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx

  55. ```

  56. 

  57. (DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

  58. 

  59. ```log

  60. 2020/10/15 16:05:09 modules/ssh/ssh.go:249:sshConnectionFailed() [W] Failed authentication attempt from xxx.xxx.xxx.xxx

  61. ```

  62. 

  63. (From 1.15 this new message will available and doesn't have any of the false positive results that above messages from publicKeyHandler do. This will only be logged if the user has completely failed authentication.)

  64. 

  65. ```log

  66. 2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx

  67. ```

  68. 

  69. Add our filter in `/etc/fail2ban/filter.d/gitea.conf`:

  70. 

  71. ```ini

  72. # gitea.conf

  73. [Definition]

  74. failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>

  75. ignoreregex =

  76. ```

  77. 

  78. Add our jail in `/etc/fail2ban/jail.d/gitea.conf`:

  79. 

  80. ```ini

  81. [gitea]

  82. enabled = true

  83. filter = gitea

  84. logpath = /var/lib/gitea/log/gitea.log

  85. maxretry = 10

  86. findtime = 3600

  87. bantime = 900

  88. action = iptables-allports

  89. ```

  90. 

  91. If you're using Docker, you'll also need to add an additional jail to handle the **FORWARD**

  92. chain in **iptables**. Configure it in `/etc/fail2ban/jail.d/gitea-docker.conf`:

  93. 

  94. ```ini

  95. [gitea-docker]

  96. enabled = true

  97. filter = gitea

  98. logpath = /var/lib/gitea/log/gitea.log

  99. maxretry = 10

  100. findtime = 3600

  101. bantime = 900

  102. action = iptables-allports[chain="FORWARD"]

  103. ```

  104. 

  105. Then simply run `service fail2ban restart` to apply your changes. You can check to see if

  106. fail2ban has accepted your configuration using `service fail2ban status`.

  107. 

  108. Make sure and read up on fail2ban and configure it to your needs, this bans someone

  109. for **15 minutes** (from all ports) when they fail authentication 10 times in an hour.

  110. 

  111. If you run Gitea behind a reverse proxy with Nginx (for example with Docker), you need to add

  112. this to your Nginx configuration so that IPs don't show up as 127.0.0.1:

  113. 

  114. ```

  115. proxy_set_header X-Real-IP $remote_addr;

  116. ```

  117. 

  118. The security options in `app.ini` need to be adjusted to allow the interpretation of the headers

  119. as well as the list of IP addresses and networks that describe trusted proxy servers

  120. (See the [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security) for more information).

  121. 

  122. ```

  123. REVERSE_PROXY_LIMIT = 1

  124. REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8 ; 172.17.0.0/16 for the docker default network

  125. ```