Created
October 24, 2016 22:57
-
-
Save pawilon/238c278d3c6c4669771eb81b03264acd to your computer and use it in GitHub Desktop.
Fail2ban filter for gitlab. Tested with gitlab version 8.13 and fail2ban version 0.9.4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# cat /etc/fail2ban/filter.d/gitlab.conf | |
# fail2ban filter configuration for gitlab | |
# Author: Pawel Chmielinski | |
[Init] | |
maxlines = 6 | |
[Definition] | |
# The relevant log file is in /var/log/gitlab/gitlab-rails/production.log | |
# Note that a single failure can appear in the logs up to 3 times with just one login attempt. Adjust your maxfails accordingly. | |
## Example fail - clone repo via https | |
#Started GET "/" for 10.0.0.91 at 2016-10-25 00:01:24 +0200 | |
#Processing by RootController#index as HTML | |
#Completed 401 Unauthorized in 69ms (ActiveRecord: 23.7ms) | |
## Example fail - login via GUI | |
#Started GET "//chmielu/test.git/info/refs?service=git-upload-pack" for 10.0.0.91 at 2016-10-25 00:01:09 +0200 | |
#Processing by Projects::GitHttpController#info_refs as */* | |
# Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"chmielu", "project_id"=>"test.git"} | |
#Filter chain halted as :authenticate_user rendered or redirected | |
#Completed 401 Unauthorized in 50ms (Views: 0.8ms | ActiveRecord: 8.1ms) | |
failregex = ^Started .* for <HOST> at .*<SKIPLINES>Completed 401 Unauthorized | |
ignoreregex = | |
I've tested so much lines. Unfortunately, there were never any matches... but it must only block lines like this:
- Authentication failure
- invalid_credentials
- Failed Login
How can we solve this? Gitlab 16.10 CE
Strange, as soon as you post something, you find the solution...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks! I am not sure if this really worked, as the count is zero:
But then again, the attacks seemed to have stopped around 2023-02-12 13:37 (CET).