2018-05-18 05:16:30 -04:00
---
date: "2018-05-11T11:00:00+02:00"
title: "Usage: Setup fail2ban"
slug: "fail2ban-setup"
weight: 16
2020-12-09 01:47:06 -05:00
toc: false
2018-05-18 05:16:30 -04:00
draft: false
menu:
sidebar:
parent: "usage"
name: "Fail2ban setup"
weight: 16
identifier: "fail2ban-setup"
---
2019-11-10 20:33:28 -05:00
# Fail2ban setup to block users after failed login attempts
2018-05-18 05:16:30 -04:00
2020-11-27 20:08:23 -05:00
**Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make
2018-05-18 05:16:30 -04:00
sure to test this before relying on it so you don't lock yourself out.**
2020-11-27 20:08:23 -05:00
Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in
`app.ini` , then you should be able to go off of `log/gitea.log` , which gives you something like this
2020-12-08 12:54:33 -05:00
on a bad authentication from the web or CLI using SSH or HTTP respectively:
2018-05-18 05:16:30 -04:00
```log
2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
```
2020-12-08 12:54:33 -05:00
```log
2020/10/15 16:05:09 modules/ssh/ssh.go:188:publicKeyHandler() [E] SearchPublicKeyByContent: public key does not exist [id: 0] Failed authentication attempt from xxx.xxx.xxx.xxx
```
```log
2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
```
2018-05-18 05:16:30 -04:00
2019-10-23 10:07:32 -04:00
Add our filter in `/etc/fail2ban/filter.d/gitea.conf` :
2018-05-18 05:16:30 -04:00
```ini
# gitea.conf
[Definition]
2020-12-08 12:54:33 -05:00
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from < HOST >
2018-05-18 05:16:30 -04:00
ignoreregex =
```
2019-10-23 10:07:32 -04:00
Add our jail in `/etc/fail2ban/jail.d/gitea.conf` :
2018-05-18 05:16:30 -04:00
```ini
[gitea]
enabled = true
filter = gitea
2020-11-27 20:08:23 -05:00
logpath = /var/lib/gitea/log/gitea.log
2018-05-18 05:16:30 -04:00
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports
```
2020-11-27 20:08:23 -05:00
If you're using Docker, you'll also need to add an additional jail to handle the **FORWARD**
2019-10-23 10:07:32 -04:00
chain in **iptables** . Configure it in `/etc/fail2ban/jail.d/gitea-docker.conf` :
```ini
[gitea-docker]
enabled = true
filter = gitea
logpath = /home/git/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports[chain="FORWARD"]
```
2020-11-27 20:08:23 -05:00
Then simply run `service fail2ban restart` to apply your changes. You can check to see if
2019-10-23 10:07:32 -04:00
fail2ban has accepted your configuration using `service fail2ban status` .
2020-11-27 20:08:23 -05:00
Make sure and read up on fail2ban and configure it to your needs, this bans someone
2018-05-18 05:16:30 -04:00
for **15 minutes** (from all ports) when they fail authentication 10 times in an hour.
2019-03-09 16:15:45 -05:00
If you run Gitea behind a reverse proxy with Nginx (for example with Docker), you need to add
2020-11-27 20:08:23 -05:00
this to your Nginx configuration so that IPs don't show up as 127.0.0.1:
2018-05-18 05:16:30 -04:00
```
proxy_set_header X-Real-IP $remote_addr;
```