| | |
|---|
| | | ## Configure fail2ban for Gitblit-SSH |
|---|
| | | |
|---|
| | | This procedure is based on a Debian installation of [fail2ban](http://www.fail2ban.org/), but it should works in any installation. |
|---|
| | | This procedure uses [fail2ban](http://www.fail2ban.org/). |
|---|
| | | |
|---|
| | | First, create a new filter file `gitblit.conf` in filter directory (Debian: `/etc/fail2ban/filter.d/`) or into `filter.conf` file. Here an example: |
|---|
| | | First, create a new filter file `gitblit.conf` in filter directory (Debian/CentOS: `/etc/fail2ban/filter.d/`) or into `filter.conf` file. Here is an example: |
|---|
| | | |
|---|
| | | [Definition] |
|---|
| | | failregex = could not authenticate .*? \(/<HOST>:[0-9]*\) for SSH using the supplied password$ |
|---|
| | | failregex = Failed login attempt for .+, invalid credentials from <HOST>\s*$ |
|---|
| | | could not authenticate .*? \(/<HOST>:[0-9]*\) for SSH using the supplied password$ |
|---|
| | | ignoreregex = |
|---|
| | | |
|---|
| | | Then edit `jail.conf` to add "gitblit" service (Debian: `/etc/fail2ban/jail.conf`). For example: |
|---|
| | | |
|---|
| | | [gitblit] |
|---|
| | | enabled = true |
|---|
| | | port = 22 |
|---|
| | | port = 443,29418 |
|---|
| | | protocol = tcp |
|---|
| | | filter = gitblit |
|---|
| | | logpath = /var/log/gitblit.log |
|---|
| | | |
|---|
| | | Restart fail2ban to apply (Debian: `/etc/init.d/fail2ban restart`). |
|---|
| | | |
|---|
| | | Reload fail2ban config to apply (`fail2ban-client reload`). |
|---|
| | | |
|---|
| | | Check the status of the gitblit fail2ban jail with `fail2ban-client status gitblit` |
|---|
