Skip to content

Instantly share code, notes, and snippets.

@pawilon

pawilon/gitlab.cfg

Created Oct 24, 2016
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Fail2ban filter for gitlab. Tested with gitlab version 8.13 and fail2ban version 0.9.4
Raw
gitlab.cfg
# cat /etc/fail2ban/filter.d/gitlab.conf
# fail2ban filter configuration for gitlab
# Author: Pawel Chmielinski
[Init]
maxlines = 6
[Definition]
# The relevant log file is in /var/log/gitlab/gitlab-rails/production.log
# Note that a single failure can appear in the logs up to 3 times with just one login attempt. Adjust your maxfails accordingly.
## Example fail - clone repo via https
#Started GET "/" for 10.0.0.91 at 2016-10-25 00:01:24 +0200
#Processing by RootController#index as HTML
#Completed 401 Unauthorized in 69ms (ActiveRecord: 23.7ms)
## Example fail - login via GUI
#Started GET "//chmielu/test.git/info/refs?service=git-upload-pack" for 10.0.0.91 at 2016-10-25 00:01:09 +0200
#Processing by Projects::GitHttpController#info_refs as */*
# Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"chmielu", "project_id"=>"test.git"}
#Filter chain halted as :authenticate_user rendered or redirected
#Completed 401 Unauthorized in 50ms (Views: 0.8ms | ActiveRecord: 8.1ms)
failregex = ^Started .* for <HOST> at .*<SKIPLINES>Completed 401 Unauthorized
ignoreregex =
@centerboy88
Copy link

great solution.... thanks

@jaytagdamian
Copy link

jaytagdamian commented Jul 9, 2018
edited

File: /etc/fail2ban/jail.local

[gitlab]
enabled = true
port = http,https
filter = gitlab
logpath = /var/log/gitlab/gitlab-rails/production.log

@NaWer
Copy link

NaWer commented May 16, 2019
edited

For gitlab 11, there is a repository : https://gitlab.com/MiGoller/gitlab-fail2ban-filter

@pkolmann
Copy link

pkolmann commented Oct 6, 2020

For Gitlab 13 I now use the production_json.log file and use the following failregex:

failregex = ^{"method":"POST","path":"\/users\/sign_in",[a-zA-Z:,"]+,"status":0.*"remote_ip":"<HOST>",

@IngoMeyer441
Copy link

IngoMeyer441 commented Aug 10, 2021
edited

failregex = ^{"method":"POST","path":"\/users\/sign_in",[a-zA-Z:,"]+,"status":0.*"remote_ip":"<HOST>",

For me, the regex did not match all relevant lines in production_json.log. The regex

failregex = ^{"method":"POST","path":"\/users\/sign_in".*,"status":0.*,"remote_ip":"<HOST>"

is more general and finds all failed Standard logins for me. If you have a central LDAP login, the regex

failregex = ^{"method":"POST","path":("\/users\/sign_in"|"\/users\/auth\/ldapmain\/callback").*,("status":0|"action":"failure").*,"remote_ip":"<HOST>"

will also catch failed LDAP login attempts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment