Fossil SCM
Clarified the intro to the new fail2ban section of the nginx-on-Debian doc.
Commit
162b7abbe067ca009ef760e005fab9aadb3a4c683fcbd0a408f966827d539c74
Parent
3c284e7c1e67fd0…
1 file changed
+13
-8
+13
-8
| --- www/server/debian/nginx.md | ||
| +++ www/server/debian/nginx.md | ||
| @@ -236,22 +236,27 @@ | ||
| 236 | 236 | [uv]: ../../unvers.wiki |
| 237 | 237 | |
| 238 | 238 | |
| 239 | 239 | ## <a name="fail2ban"></a> Integrating `fail2ban` |
| 240 | 240 | |
| 241 | -You can have `fail2ban` recognize attacks and automatically block them, | |
| 242 | -but the stock configuration doesn’t work with our Fossil setup above, so | |
| 243 | -we have to do a bit of local adjustment. | |
| 241 | +One of the nice things that falls out of proxying Fossil behind nginx is | |
| 242 | +that it makes it easier to configure `fail2ban` to recognize attacks on | |
| 243 | +Fossil and automatically block them. Fossil logs the sorts of errors we | |
| 244 | +want to detect, but it does so in places like the repository’s admin | |
| 245 | +log, a SQL table, which `fail2ban` doesn’t know how to query. By putting | |
| 246 | +Fossil behind an nginx proxy, we convert these failures to log file | |
| 247 | +form, which `fail2ban` is designed to handle. | |
| 244 | 248 | |
| 245 | -First, install it: | |
| 249 | +First, install `fail2ban`, if you haven’t already: | |
| 246 | 250 | |
| 247 | 251 | sudo apt install fail2ban |
| 248 | 252 | |
| 249 | -Out of the box, you get SSH monitoring only. There are nginx monitors | |
| 250 | -included with the package, but they don’t look in the right places for | |
| 251 | -the right things. We’d like it to react to Fossil `/login` failures, for | |
| 252 | -example. Put the following into | |
| 253 | +We’d like `fail2ban` to react to Fossil `/login` failures. The stock | |
| 254 | +configuration of `fail2ban` only detects a few common sorts of SSH | |
| 255 | +attacks by default, and its included (but disabled) nginx attack | |
| 256 | +detectors don’t include one that knows how to detect an attack on | |
| 257 | +Fossil. We have to teach it by putting the following into | |
| 253 | 258 | `/etc/fail2ban/filter.d/nginx-fossil-login.conf`: |
| 254 | 259 | |
| 255 | 260 | [Definition] |
| 256 | 261 | failregex = ^<HOST> - .*POST .*/login HTTP/..." 401 |
| 257 | 262 | |
| 258 | 263 |
| --- www/server/debian/nginx.md | |
| +++ www/server/debian/nginx.md | |
| @@ -236,22 +236,27 @@ | |
| 236 | [uv]: ../../unvers.wiki |
| 237 | |
| 238 | |
| 239 | ## <a name="fail2ban"></a> Integrating `fail2ban` |
| 240 | |
| 241 | You can have `fail2ban` recognize attacks and automatically block them, |
| 242 | but the stock configuration doesn’t work with our Fossil setup above, so |
| 243 | we have to do a bit of local adjustment. |
| 244 | |
| 245 | First, install it: |
| 246 | |
| 247 | sudo apt install fail2ban |
| 248 | |
| 249 | Out of the box, you get SSH monitoring only. There are nginx monitors |
| 250 | included with the package, but they don’t look in the right places for |
| 251 | the right things. We’d like it to react to Fossil `/login` failures, for |
| 252 | example. Put the following into |
| 253 | `/etc/fail2ban/filter.d/nginx-fossil-login.conf`: |
| 254 | |
| 255 | [Definition] |
| 256 | failregex = ^<HOST> - .*POST .*/login HTTP/..." 401 |
| 257 | |
| 258 |
| --- www/server/debian/nginx.md | |
| +++ www/server/debian/nginx.md | |
| @@ -236,22 +236,27 @@ | |
| 236 | [uv]: ../../unvers.wiki |
| 237 | |
| 238 | |
| 239 | ## <a name="fail2ban"></a> Integrating `fail2ban` |
| 240 | |
| 241 | One of the nice things that falls out of proxying Fossil behind nginx is |
| 242 | that it makes it easier to configure `fail2ban` to recognize attacks on |
| 243 | Fossil and automatically block them. Fossil logs the sorts of errors we |
| 244 | want to detect, but it does so in places like the repository’s admin |
| 245 | log, a SQL table, which `fail2ban` doesn’t know how to query. By putting |
| 246 | Fossil behind an nginx proxy, we convert these failures to log file |
| 247 | form, which `fail2ban` is designed to handle. |
| 248 | |
| 249 | First, install `fail2ban`, if you haven’t already: |
| 250 | |
| 251 | sudo apt install fail2ban |
| 252 | |
| 253 | We’d like `fail2ban` to react to Fossil `/login` failures. The stock |
| 254 | configuration of `fail2ban` only detects a few common sorts of SSH |
| 255 | attacks by default, and its included (but disabled) nginx attack |
| 256 | detectors don’t include one that knows how to detect an attack on |
| 257 | Fossil. We have to teach it by putting the following into |
| 258 | `/etc/fail2ban/filter.d/nginx-fossil-login.conf`: |
| 259 | |
| 260 | [Definition] |
| 261 | failregex = ^<HOST> - .*POST .*/login HTTP/..." 401 |
| 262 | |
| 263 |