gitea/docs/content/administration/fail2ban-setup.en-us.md

---
date: "2018-05-11T11:00:00+02:00"
title: "Fail2ban Setup "
slug: "fail2ban-setup"
sidebar_position: 16
toc: false
draft: false
aliases:
  - /en-us/fail2ban-setup
menu:
  sidebar:
    parent: "administration"
    name: "Fail2ban setup"
    sidebar_position: 16
    identifier: "fail2ban-setup"
---

# Fail2ban setup to block users after failed login attempts

**Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make
sure to test this before relying on it so you don't lock yourself out.**

Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in
`app.ini`, then you should be able to go off of `log/gitea.log`, which gives you something like this
on a bad authentication from the web or CLI using SSH or HTTP respectively:

```log
2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
```

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:249:sshConnectionFailed() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

(From 1.15 this new message will available and doesn't have any of the false positive results that above messages from publicKeyHandler do. This will only be logged if the user has completely failed authentication.)

```log
2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
```

Add our filter in `/etc/fail2ban/filter.d/gitea.conf`:

```ini
# gitea.conf
[Definition]
failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
```

Add our jail in `/etc/fail2ban/jail.d/gitea.conf`:

```ini
[gitea]
enabled = true
filter = gitea
logpath = /var/lib/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports
```

If you're using Docker, you'll also need to add an additional jail to handle the **FORWARD**
chain in **iptables**. Configure it in `/etc/fail2ban/jail.d/gitea-docker.conf`:

```ini
[gitea-docker]
enabled = true
filter = gitea
logpath = /var/lib/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports[chain="FORWARD"]
```

Then simply run `service fail2ban restart` to apply your changes. You can check to see if
fail2ban has accepted your configuration using `service fail2ban status`.

Make sure and read up on fail2ban and configure it to your needs, this bans someone
for **15 minutes** (from all ports) when they fail authentication 10 times in an hour.

If you run Gitea behind a reverse proxy with Nginx (for example with Docker), you need to add
this to your Nginx configuration so that IPs don't show up as 127.0.0.1:

```
proxy_set_header X-Real-IP $remote_addr;
```

The security options in `app.ini` need to be adjusted to allow the interpretation of the headers
as well as the list of IP addresses and networks that describe trusted proxy servers
(See the [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security) for more information).

```
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8 ; 172.17.0.0/16 for the docker default network
```
Added docs for configuring fail2ban (#3949) 7 years ago			`---`
			`date: "2018-05-11T11:00:00+02:00"`
Adjust some documentations titles (#23941) As title. 2 years ago			`title: "Fail2ban Setup "`
Added docs for configuring fail2ban (#3949) 7 years ago			`slug: "fail2ban-setup"`
Docusaurus-ify (#26051) This PR cleans up the docs in a way to make them simpler to ingest by our [docs repo](https://gitea.com/gitea/gitea-docusaurus). 1. It includes all of the sed invocations our ingestion did, removing the need to do it at build time. 2. It replaces the shortcode variable replacement method with `@variable@` style, simply for easier sed invocations when required. 3. It removes unused files and moves the docs up a level as cleanup. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> 1 year ago			`sidebar_position: 16`
Reformat docs (#13897) Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`toc: false`
Added docs for configuring fail2ban (#3949) 7 years ago			`draft: false`
Refactor docs (#23752) This was intended to be a small followup for https://github.com/go-gitea/gitea/pull/23712, but...here we are. 1. Our docs currently use `slug` as the entire URL, which makes refactoring tricky (see https://github.com/go-gitea/gitea/pull/23712). Instead, this PR attempts to make future refactoring easier by using slugs as an extension of the section. (Hugo terminology) - What the above boils down to is this PR attempts to use directory organization as URL management. e.g. `usage/comparison.en-us.md` -> `en-us/usage/comparison/`, `usage/packages/overview.en-us.md` -> `en-us/usage/packages/overview/` - Technically we could even remove `slug`, as Hugo defaults to using filename, however at least with this PR it means `slug` only needs to be the name for the current file rather than an entire URL 2. This PR adds appropriate aliases (redirects) for pages, so anything on the internet that links to our docs should hopefully not break. 3. A minor nit I've had for a while, renaming `seek-help` to `support`. It's a minor thing, but `seek-help` has a strange connotation to it. 4. The commits are split such that you can review the first which is the "actual" change, and the second is added redirects so that the first doesn't break links elsewhere. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> 2 years ago			`aliases:`
			`- /en-us/fail2ban-setup`
Added docs for configuring fail2ban (#3949) 7 years ago			`menu:`
			`sidebar:`
Restructure documentation. Now the documentation has installation, administration, usage, development, contributing the 5 main parts (#23629) - Installation: includes how to install Gitea and related other tools, also includes upgrade Gitea - Administration: includes how to configure Gitea, customize Gitea and manage Gitea instance out of Gitea admin UI - Usage: includes how to use Gitea's functionalities. A sub documentation is about packages, in future we could also include CI/CD and others. - Development: includes how to integrate with Gitea's API, how to develop new features within Gitea - Contributing: includes how to contribute code to Gitea repositories. After this is merged, I think we can have a sub-documentation of `Usage` part named `Actions` to describe how to use Gitea actions --------- Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2 years ago			`parent: "administration"`
Added docs for configuring fail2ban (#3949) 7 years ago			`name: "Fail2ban setup"`
Docusaurus-ify (#26051) This PR cleans up the docs in a way to make them simpler to ingest by our [docs repo](https://gitea.com/gitea/gitea-docusaurus). 1. It includes all of the sed invocations our ingestion did, removing the need to do it at build time. 2. It replaces the shortcode variable replacement method with `@variable@` style, simply for easier sed invocations when required. 3. It removes unused files and moves the docs up a level as cleanup. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> 1 year ago			`sidebar_position: 16`
Added docs for configuring fail2ban (#3949) 7 years ago			`identifier: "fail2ban-setup"`
			`---`

Fix typo in doc (#8914) Fix typo in doc fail2ban-setup.md 5 years ago			`# Fail2ban setup to block users after failed login attempts`
Added docs for configuring fail2ban (#3949) 7 years ago
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 4 years ago			`**Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make`
Added docs for configuring fail2ban (#3949) 7 years ago			`sure to test this before relying on it so you don't lock yourself out.**`

Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 4 years ago			`Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in`
			`app.ini`, then you should be able to go off of `log/gitea.log`, which gives you something like this
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 4 years ago			`on a bad authentication from the web or CLI using SSH or HTTP respectively:`
Added docs for configuring fail2ban (#3949) 7 years ago
			```log
			`2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx`
			```
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 4 years ago
			```log
			`2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
			```
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed. 2 years ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net> 3 years ago			`(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)`
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 4 years ago
			```log
			`2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
			```
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed. 2 years ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net> 3 years ago			`(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)`
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 4 years ago
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 4 years ago			```log
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 4 years ago			`2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 4 years ago			```
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed. 2 years ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net> 3 years ago			`(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)`
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 4 years ago
			```log
			`2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
			```
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed. 2 years ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net> 3 years ago			`(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)`
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 4 years ago
			```log
			`2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
			```
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed. 2 years ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net> 3 years ago			`(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)`

			```log
			`2020/10/15 16:05:09 modules/ssh/ssh.go:249:sshConnectionFailed() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
			```
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed. 2 years ago
Update fail2ban documentation (#16286) Following the merge of #16278 we need to update the fail2ban documentation to take account of the availability of the new sshConnectionFailed failed authentication attempt log message. Also add a deprecation notice regarding the previous publicKeyHandler messages, as these may be a source of false positives. Signed-off-by: Andrew Thornton <art27@cantab.net> 3 years ago			`(From 1.15 this new message will available and doesn't have any of the false positive results that above messages from publicKeyHandler do. This will only be logged if the user has completely failed authentication.)`
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 4 years ago
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 4 years ago			```log
			`2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx`
			```
Added docs for configuring fail2ban (#3949) 7 years ago
Docs: Added instructions for Docker fail2ban configuration. (#8642) 5 years ago			Add our filter in `/etc/fail2ban/filter.d/gitea.conf`:
Added docs for configuring fail2ban (#3949) 7 years ago
			```ini
			`# gitea.conf`
			`[Definition]`
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 4 years ago			`failregex = .(Failed authentication attempt\|invalid credentials\|Attempted access of unknown user). from <HOST>`
Added docs for configuring fail2ban (#3949) 7 years ago			`ignoreregex =`
			```

Docs: Added instructions for Docker fail2ban configuration. (#8642) 5 years ago			Add our jail in `/etc/fail2ban/jail.d/gitea.conf`:
Added docs for configuring fail2ban (#3949) 7 years ago
			```ini
			`[gitea]`
			`enabled = true`
			`filter = gitea`
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 4 years ago			`logpath = /var/lib/gitea/log/gitea.log`
Added docs for configuring fail2ban (#3949) 7 years ago			`maxretry = 10`
			`findtime = 3600`
			`bantime = 900`
			`action = iptables-allports`
			```

Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 4 years ago			`If you're using Docker, you'll also need to add an additional jail to handle the FORWARD`
Docs: Added instructions for Docker fail2ban configuration. (#8642) 5 years ago			chain in iptables. Configure it in `/etc/fail2ban/jail.d/gitea-docker.conf`:

			```ini
			`[gitea-docker]`
			`enabled = true`
			`filter = gitea`
Fixed log path in fail2ban documentation (#19103) This updates the log path in the [gitea-docker] jail configuration to match the path in the [gitea] jail, which was updated in #13726. 3 years ago			`logpath = /var/lib/gitea/log/gitea.log`
Docs: Added instructions for Docker fail2ban configuration. (#8642) 5 years ago			`maxretry = 10`
			`findtime = 3600`
			`bantime = 900`
			`action = iptables-allports[chain="FORWARD"]`
			```

Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 4 years ago			Then simply run `service fail2ban restart` to apply your changes. You can check to see if
Docs: Added instructions for Docker fail2ban configuration. (#8642) 5 years ago			fail2ban has accepted your configuration using `service fail2ban status`.

Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 4 years ago			`Make sure and read up on fail2ban and configure it to your needs, this bans someone`
Added docs for configuring fail2ban (#3949) 7 years ago			`for 15 minutes (from all ports) when they fail authentication 10 times in an hour.`

Copyedit docs (#6275) 6 years ago			`If you run Gitea behind a reverse proxy with Nginx (for example with Docker), you need to add`
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 4 years ago			`this to your Nginx configuration so that IPs don't show up as 127.0.0.1:`
Added docs for configuring fail2ban (#3949) 7 years ago
			```
			`proxy_set_header X-Real-IP $remote_addr;`
			```
Extend the fail2ban instructions with a hint on how to make X-Real-IP… (#16446) Following the merging of #14959 - Gitea is a lot more strict regarding the interpretation of `X-Real-IP` and `X-Forwarded-For` headers. This PR updates the fail2ban documentation to include hints to set: `REVERSE_PROXY_TRUSTED_PROXIES` and `REVERSE_PROXY_LIMIT` appropriately. See discussion in #16443 Co-authored-by: zeripath <art27@cantab.net> 3 years ago
			The security options in `app.ini` need to be adjusted to allow the interpretation of the headers
			`as well as the list of IP addresses and networks that describe trusted proxy servers`
			`(See the [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security) for more information).`

			```
			`REVERSE_PROXY_LIMIT = 1`
			`REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8 ; 172.17.0.0/16 for the docker default network`
			```