Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Fail2ban filter for gitlab. Tested with gitlab version 8.13 and fail2ban version 0.9.4
# cat /etc/fail2ban/filter.d/gitlab.conf
# fail2ban filter configuration for gitlab
# Author: Pawel Chmielinski
maxlines = 6
# The relevant log file is in /var/log/gitlab/gitlab-rails/production.log
# Note that a single failure can appear in the logs up to 3 times with just one login attempt. Adjust your maxfails accordingly.
## Example fail - clone repo via https
#Started GET "/" for at 2016-10-25 00:01:24 +0200
#Processing by RootController#index as HTML
#Completed 401 Unauthorized in 69ms (ActiveRecord: 23.7ms)
## Example fail - login via GUI
#Started GET "//chmielu/test.git/info/refs?service=git-upload-pack" for at 2016-10-25 00:01:09 +0200
#Processing by Projects::GitHttpController#info_refs as */*
# Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"chmielu", "project_id"=>"test.git"}
#Filter chain halted as :authenticate_user rendered or redirected
#Completed 401 Unauthorized in 50ms (Views: 0.8ms | ActiveRecord: 8.1ms)
failregex = ^Started .* for <HOST> at .*<SKIPLINES>Completed 401 Unauthorized
ignoreregex =
Copy link

great solution.... thanks

Copy link

jaytagdamian commented Jul 9, 2018

File: /etc/fail2ban/jail.local

enabled = true
port = http,https
filter = gitlab
logpath = /var/log/gitlab/gitlab-rails/production.log

Copy link

NaWer commented May 16, 2019

For gitlab 11, there is a repository :

Copy link

pkolmann commented Oct 6, 2020

For Gitlab 13 I now use the production_json.log file and use the following failregex:

failregex = ^{"method":"POST","path":"\/users\/sign_in",[a-zA-Z:,"]+,"status":0.*"remote_ip":"<HOST>",

Copy link

IngoMeyer441 commented Aug 10, 2021

failregex = ^{"method":"POST","path":"\/users\/sign_in",[a-zA-Z:,"]+,"status":0.*"remote_ip":"<HOST>",

For me, the regex did not match all relevant lines in production_json.log. The regex

failregex = ^{"method":"POST","path":"\/users\/sign_in".*,"status":0.*,"remote_ip":"<HOST>"

is more general and finds all failed Standard logins for me. If you have a central LDAP login, the regex

failregex = ^{"method":"POST","path":("\/users\/sign_in"|"\/users\/auth\/ldapmain\/callback").*,("status":0|"action":"failure").*,"remote_ip":"<HOST>"

will also catch failed LDAP login attempts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment