fail2ban gitlab nginx

# Fail2Ban configuration file
#
# Author: Olle Gustafsson
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = ^ - -.*GET.*/1\.1.* 304 0

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

[nginx-gitlab]

enabled = true
port = http,https
filter = nginx-gitlab
logpath = /var/log/nginx/gitlab_access.log
maxretry = 3

6 svar på ”fail2ban gitlab nginx”

1. I made the following filter (/etc/fail2ban/filter.d/nginx-gitlab-signup):

   
[Definition]
failregex = ^<HOST> -.*"POST /users/sign_in HTTP.*$


   And made the following change in /etc/fail2ban/jail.local:

   
[nginx-gitlab-signup]
enabled = true
port = http,https
protocol = tcp
filter = nginx-gitlab-signup
logpath = /var/log/nginx/gitlab_access.log
maxretry = 10
action = %(action_mw)s


   Now, this is not technically counting failed logins. In a sense it’s counting login attempts. Those attempts might or might not fail. But it’s set high enough that I don’t think it will catch legitimate users on a single machine.

   Svara

2. failregex = ^ -.*”POST /users/sign_in HTTP.*$

   Svara

   1. Actually, on sucess login it has a 302 return code for redirect, 200 on fail.
      So, this would work better :
      failregex = ^ -.*”POST /users/sign_in HTTP.*” 200.*$

      Hope this helps!

      Svara

3. i think in that way, now works the ban:

   failregex = ^ – -.*”POST /users/sign_in HTTP.*” 200.*$

   Svara

4. important at the beginnenin HOST with

   Svara

5. okay the relational signs are filtered out therfore:

   failregex = ^’less’HOST’greater’ – -.*”POST /users/sign_in HTTP.*” 200.*$

   less/greater replace by relational symbol, which is filtered out

   Svara