gitea/docs/content/doc/usage/fail2ban-setup.en-us.md

---
date: "2018-05-11T11:00:00+02:00"
title: "Usage: Setup fail2ban"
slug: "fail2ban-setup"
weight: 16
toc: false
draft: false
menu:
  sidebar:
    parent: "usage"
    name: "Fail2ban setup"
    weight: 16
    identifier: "fail2ban-setup"
---

# Fail2ban setup to block users after failed login attempts

**Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make
sure to test this before relying on it so you don't lock yourself out.**

Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in
`app.ini`, then you should be able to go off of `log/gitea.log`, which gives you something like this
on a bad authentication from the web or CLI using SSH or HTTP respectively:

```log
2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
```

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

```log
2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```

```log
2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
```

Add our filter in `/etc/fail2ban/filter.d/gitea.conf`:

```ini
# gitea.conf
[Definition]
failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
```

Add our jail in `/etc/fail2ban/jail.d/gitea.conf`:

```ini
[gitea]
enabled = true
filter = gitea
logpath = /var/lib/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports
```

If you're using Docker, you'll also need to add an additional jail to handle the **FORWARD**
chain in **iptables**. Configure it in `/etc/fail2ban/jail.d/gitea-docker.conf`:

```ini
[gitea-docker]
enabled = true
filter = gitea
logpath = /home/git/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports[chain="FORWARD"]
```

Then simply run `service fail2ban restart` to apply your changes. You can check to see if
fail2ban has accepted your configuration using `service fail2ban status`.

Make sure and read up on fail2ban and configure it to your needs, this bans someone
for **15 minutes** (from all ports) when they fail authentication 10 times in an hour.

If you run Gitea behind a reverse proxy with Nginx (for example with Docker), you need to add
this to your Nginx configuration so that IPs don't show up as 127.0.0.1:

```
proxy_set_header X-Real-IP $remote_addr;
```
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00			`---`
			`date: "2018-05-11T11:00:00+02:00"`
			`title: "Usage: Setup fail2ban"`
			`slug: "fail2ban-setup"`
			`weight: 16`
Reformat docs (#13897) Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv> 2020-12-09 06:47:06 +00:00			`toc: false`
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00			`draft: false`
			`menu:`
			`sidebar:`
			`parent: "usage"`
			`name: "Fail2ban setup"`
			`weight: 16`
			`identifier: "fail2ban-setup"`
			`---`

Fix typo in doc (#8914) Fix typo in doc fail2ban-setup.md 2019-11-11 01:33:28 +00:00			`# Fail2ban setup to block users after failed login attempts`
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 2020-11-28 01:08:23 +00:00			`**Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make`
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00			`sure to test this before relying on it so you don't lock yourself out.**`

Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 2020-11-28 01:08:23 +00:00			`Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in`
			`app.ini`, then you should be able to go off of `log/gitea.log`, which gives you something like this
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 2020-12-08 17:54:33 +00:00			`on a bad authentication from the web or CLI using SSH or HTTP respectively:`
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00
			```log
			`2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx`
			```
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 2020-12-15 08:45:13 +00:00
			```log
			`2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
			```

			```log
			`2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
			```

Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 2020-12-08 17:54:33 +00:00			```log
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 2020-12-15 08:45:13 +00:00			`2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 2020-12-08 17:54:33 +00:00			```
Standardise logging of failed authentication attempts in internal SSH (#13962) Continuing on from #13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <art27@cantab.net> 2020-12-15 08:45:13 +00:00
			```log
			`2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
			```

			```log
			`2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx`
			```

Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 2020-12-08 17:54:33 +00:00			```log
			`2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx`
			```
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00
Docs: Added instructions for Docker fail2ban configuration. (#8642) 2019-10-23 14:07:32 +00:00			Add our filter in `/etc/fail2ban/filter.d/gitea.conf`:
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00
			```ini
			`# gitea.conf`
			`[Definition]`
Log IP on SSH authentication failure for Built-in SSH server (#13150) * Log IP on SSH authentication failure fixes https://github.com/go-gitea/gitea/issues/13094 * include string 'Failed authentication attempt' in error * update fail2ban docs also match failed authentication over command line * better logging of authentication errors with IP addresses * format ... Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: 6543 <6543@obermui.de> 2020-12-08 17:54:33 +00:00			`failregex = .(Failed authentication attempt\|invalid credentials\|Attempted access of unknown user). from <HOST>`
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00			`ignoreregex =`
			```

Docs: Added instructions for Docker fail2ban configuration. (#8642) 2019-10-23 14:07:32 +00:00			Add our jail in `/etc/fail2ban/jail.d/gitea.conf`:
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00
			```ini
			`[gitea]`
			`enabled = true`
			`filter = gitea`
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 2020-11-28 01:08:23 +00:00			`logpath = /var/lib/gitea/log/gitea.log`
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00			`maxretry = 10`
			`findtime = 3600`
			`bantime = 900`
			`action = iptables-allports`
			```

Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 2020-11-28 01:08:23 +00:00			`If you're using Docker, you'll also need to add an additional jail to handle the FORWARD`
Docs: Added instructions for Docker fail2ban configuration. (#8642) 2019-10-23 14:07:32 +00:00			chain in iptables. Configure it in `/etc/fail2ban/jail.d/gitea-docker.conf`:

			```ini
			`[gitea-docker]`
			`enabled = true`
			`filter = gitea`
			`logpath = /home/git/gitea/log/gitea.log`
			`maxretry = 10`
			`findtime = 3600`
			`bantime = 900`
			`action = iptables-allports[chain="FORWARD"]`
			```

Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 2020-11-28 01:08:23 +00:00			Then simply run `service fail2ban restart` to apply your changes. You can check to see if
Docs: Added instructions for Docker fail2ban configuration. (#8642) 2019-10-23 14:07:32 +00:00			fail2ban has accepted your configuration using `service fail2ban status`.

Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 2020-11-28 01:08:23 +00:00			`Make sure and read up on fail2ban and configure it to your needs, this bans someone`
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00			`for 15 minutes (from all ports) when they fail authentication 10 times in an hour.`

Copyedit docs (#6275) 2019-03-09 21:15:45 +00:00			`If you run Gitea behind a reverse proxy with Nginx (for example with Docker), you need to add`
Fixed the log path on fail2ban page (#13726) * Changed path from /home/git/gitea/log/gitea.log to /var/lib/gitea/log/gitea.log on the fail2ban page, so the log matches the instructions found on the following binary installation page: https://docs.gitea.io/en-us/install-from-binary/#create-required-directory-structure 2020-11-28 01:08:23 +00:00			`this to your Nginx configuration so that IPs don't show up as 127.0.0.1:`
Added docs for configuring fail2ban (#3949) 2018-05-18 09:16:30 +00:00
			```
			`proxy_set_header X-Real-IP $remote_addr;`
			```