fail2ban gitlab nginx

*Edit: this doesn’t actually work. I get banned for no reason, if anyone has a better regex solution please let me know =)

If you are using gitlab and nginx, the following fail2ban rule might be useful to block failed login attempts.

First, create the file /etc/fail2ban/filter.d/nginx-gitlab.conf

# Fail2Ban configuration file
#
# Author: Olle Gustafsson
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = ^ - -.*GET.*/1\.1.* 304 0

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

then add the following rule to /etc/fail2ban/jail.local

[nginx-gitlab]

enabled = true
port = http,https
filter = nginx-gitlab
logpath = /var/log/nginx/gitlab_access.log
maxretry = 3

restart fail2ban and voila!

6 svar på ”fail2ban gitlab nginx”

  1. I made the following filter (/etc/fail2ban/filter.d/nginx-gitlab-signup):


    [Definition]
    failregex = ^<HOST> -.*"POST /users/sign_in HTTP.*$

    And made the following change in /etc/fail2ban/jail.local:


    [nginx-gitlab-signup]
    enabled = true
    port = http,https
    protocol = tcp
    filter = nginx-gitlab-signup
    logpath = /var/log/nginx/gitlab_access.log
    maxretry = 10
    action = %(action_mw)s

    Now, this is not technically counting failed logins. In a sense it’s counting login attempts. Those attempts might or might not fail. But it’s set high enough that I don’t think it will catch legitimate users on a single machine.

    1. Actually, on sucess login it has a 302 return code for redirect, 200 on fail.
      So, this would work better :
      failregex = ^ -.*”POST /users/sign_in HTTP.*” 200.*$

      Hope this helps!

  2. i think in that way, now works the ban:

    failregex = ^ – -.*”POST /users/sign_in HTTP.*” 200.*$

  3. okay the relational signs are filtered out therfore:

    failregex = ^’less’HOST’greater’ – -.*”POST /users/sign_in HTTP.*” 200.*$

    less/greater replace by relational symbol, which is filtered out

Lämna ett svar

Din e-postadress kommer inte publiceras. Obligatoriska fält är märkta *