# cat /etc/fail2ban/filter.d/gitlab.conf | |
# fail2ban filter configuration for gitlab | |
# Author: Pawel Chmielinski | |
[Init] | |
maxlines = 6 | |
[Definition] | |
# The relevant log file is in /var/log/gitlab/gitlab-rails/production.log | |
# Note that a single failure can appear in the logs up to 3 times with just one login attempt. Adjust your maxfails accordingly. | |
## Example fail - clone repo via https | |
#Started GET "/" for 10.0.0.91 at 2016-10-25 00:01:24 +0200 | |
#Processing by RootController#index as HTML | |
#Completed 401 Unauthorized in 69ms (ActiveRecord: 23.7ms) | |
## Example fail - login via GUI | |
#Started GET "//chmielu/test.git/info/refs?service=git-upload-pack" for 10.0.0.91 at 2016-10-25 00:01:09 +0200 | |
#Processing by Projects::GitHttpController#info_refs as */* | |
# Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"chmielu", "project_id"=>"test.git"} | |
#Filter chain halted as :authenticate_user rendered or redirected | |
#Completed 401 Unauthorized in 50ms (Views: 0.8ms | ActiveRecord: 8.1ms) | |
failregex = ^Started .* for <HOST> at .*<SKIPLINES>Completed 401 Unauthorized | |
ignoreregex = | |
File: /etc/fail2ban/jail.local
[gitlab]
enabled = true
port = http,https
filter = gitlab
logpath = /var/log/gitlab/gitlab-rails/production.log
For gitlab 11, there is a repository : https://gitlab.com/MiGoller/gitlab-fail2ban-filter
For Gitlab 13 I now use the production_json.log file and use the following failregex:
failregex = ^{"method":"POST","path":"\/users\/sign_in",[a-zA-Z:,"]+,"status":0.*"remote_ip":"<HOST>",
failregex = ^{"method":"POST","path":"\/users\/sign_in",[a-zA-Z:,"]+,"status":0.*"remote_ip":"<HOST>",
For me, the regex did not match all relevant lines in production_json.log
. The regex
failregex = ^{"method":"POST","path":"\/users\/sign_in".*,"status":0.*,"remote_ip":"<HOST>"
is more general and finds all failed Standard logins for me. If you have a central LDAP login, the regex
failregex = ^{"method":"POST","path":("\/users\/sign_in"|"\/users\/auth\/ldapmain\/callback").*,("status":0|"action":"failure").*,"remote_ip":"<HOST>"
will also catch failed LDAP login attempts.
great solution.... thanks