[DOCS] Update Fail2Ban security measures (#1349)
* [Docs] Security measures - Fail2Ban Minor changes / improvements to the text * Update measures.md * Update docs/security/measures.mdpull/1392/head
parent
0631667594
commit
0ba634ffee
|
@ -164,11 +164,11 @@ add_header X-XSS-Protection "1; mode=block";
|
||||||
|
|
||||||
### More protections measures with fail2ban
|
### More protections measures with fail2ban
|
||||||
|
|
||||||
If you are running fail2ban to protect your system, you can also add a filter and jail for authelia to reduce load on the application / web server from repeated hacking attempts.
|
If you are running fail2ban, adding a filter and jail for Authelia can reduce load on the application / web server. Fail2ban will ban IPs exceeding a threshold of repeated failed logins at the firewall level of your host.
|
||||||
|
|
||||||
If you are using docker, the Authelia log file location has to be mounted from the host system to the container for fail2ban to work. Otherwise fail2ban is unable to access it.
|
If you are using Docker, the Authelia log file location has to be mounted from the host system to the container for fail2ban to access it.
|
||||||
|
|
||||||
Create a configuration file in the `filter.d` folder with the following content. In Debian-based systems the folder is typically located at `/etc/fail2ban/filter.d`.
|
Create a configuration file in the `filter.d` folder with the content below. In Debian-based systems the folder is typically located at `/etc/fail2ban/filter.d`.
|
||||||
|
|
||||||
```
|
```
|
||||||
# Fail2Ban filter for Authelia
|
# Fail2Ban filter for Authelia
|
||||||
|
@ -177,10 +177,8 @@ Create a configuration file in the `filter.d` folder with the following content.
|
||||||
# only contains a single IP address (the one from the end-user), and not the proxy chain
|
# only contains a single IP address (the one from the end-user), and not the proxy chain
|
||||||
# (it is misleading: usually, this is the purpose of this header).
|
# (it is misleading: usually, this is the purpose of this header).
|
||||||
|
|
||||||
# failregex rule counts every failed login (wrong username or password) and failed TOTP entry as a failure
|
# the failregex rule counts every failed login (wrong username or password) and failed TOTP entry as a failure
|
||||||
# ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as level=error by Authelia
|
# the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as level=error by Authelia
|
||||||
# adding the commented line below to the failregex filter would also count ever ban (as a result of too many failed logins as a failure)
|
|
||||||
# ^.* is banned until .*remote_ip=<HOST> stack.*
|
|
||||||
|
|
||||||
[Definition]
|
[Definition]
|
||||||
failregex = ^.*Error while checking password for.*remote_ip=<HOST> stack.*
|
failregex = ^.*Error while checking password for.*remote_ip=<HOST> stack.*
|
||||||
|
@ -192,18 +190,19 @@ ignoreregex = ^.*level=debug.*
|
||||||
^.*level=warning.*
|
^.*level=warning.*
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Modify the `jail.local` file. In Debian-based systems the folder is typically located at `/etc/fail2ban/`. If the file does not exist, create it by copying the jail.conf `cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local`.
|
||||||
2. Modify the `jail.local` file. In Debian-based systems the folder is typically located at `/etc/fail2ban/`. If the file does not exist, create it by copying the jail.conf `cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local`.
|
|
||||||
Add an Authelia entry to the "Jails" section of the file:
|
Add an Authelia entry to the "Jails" section of the file:
|
||||||
```
|
```
|
||||||
[authelia]
|
[authelia]
|
||||||
enabled = true
|
enabled = true
|
||||||
port = http,https,9091
|
port = http,https,9091
|
||||||
filter = authelia
|
filter = authelia
|
||||||
logpath = /path-to-your-authelia-log
|
logpath = /path-to-your-authelia.log
|
||||||
maxretry = 3
|
maxretry = 3
|
||||||
bantime = 1d
|
bantime = 1d
|
||||||
findtime = 1d
|
findtime = 1d
|
||||||
chain = DOCKER-USER
|
chain = DOCKER-USER
|
||||||
```
|
```
|
||||||
If you are not using Docker remove the the line "chain = DOCKER-USER"
|
If you are not using Docker remove the the line "chain = DOCKER-USER"
|
||||||
|
|
||||||
|
Finally, restart the fail2ban service.
|
||||||
|
|
Loading…
Reference in New Issue