Git with a cup of tea, painless self-hosted git service Mirror for internal git.with.parts use https://git.with.parts
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
gitea/docs/content/doc/usage/fail2ban-setup.md

1.6 KiB

date title slug weight toc draft menu
2018-05-11T11:00:00+02:00 Usage: Setup fail2ban fail2ban-setup 16 true false [{sidebar [{parent usage} {name Fail2ban setup} {weight 16} {identifier fail2ban-setup}]}]

Fail2ban setup to block users after failed login attemts

Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make sure to test this before relying on it so you don't lock yourself out.

Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in app.ini, then you should be able to go off of log/gitea.log, which gives you something like this on a bad authentication:

2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx

So we set our filter in /etc/fail2ban/filter.d/gitea.conf:

# gitea.conf
[Definition]
failregex =  .*Failed authentication attempt for .* from <HOST>
ignoreregex =

And configure it in /etc/fail2ban/jail.d/jail.local:

[gitea]
enabled = true
port = http,https
filter = gitea
logpath = /home/git/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports

Make sure and read up on fail2ban and configure it to your needs, this bans someone for 15 minutes (from all ports) when they fail authentication 10 times in an hour.

If you run Gitea behind a reverse proxy with nginx (for example with docker), you need to add this to your nginx configuration so that IPs don't show up as 127.0.0.1:

proxy_set_header X-Real-IP $remote_addr;