code-server/doc/fail2ban.md
Asher fd55139c82
Make flags additive and clean up docs
This means that you have to turn on features now instead of disabling
them like auth and https.

In addition:
- Allow multiple options for auth (only password for now).
- Combine the install docs since they had many commonalities and
- generally simplified them (hopefully not too much).
- Move all example configs into docs/examples.
2019-07-23 18:59:39 -05:00

1.1 KiB

Protecting code-server from bruteforce attempts

code-server outputs all failed login attempts, along with the IP address, provided password, user agent and timestamp by default.

When using a reverse proxy such as Nginx or Apache, the remote address may appear to be 127.0.0.1 or a similar address so X-Forwarded-For should be used instead. Ensure that you are setting this value in your reverse proxy:

Nginx:

location / {
  ...
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  ...
}

Apache:

<VirtualEnv>
  ...
  SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
  ...
</VirtualEnv>

It is extremely important that you ensure that your code-server instance is not accessible from the internet (use localhost or block it in your firewall).

Fail2Ban

Fail2Ban allows for automatically banning and logging repeated failed authentication attempts for many applications through regex filters. A working filter for code-server can be found in ./code-server.fail2ban.conf. Once this is installed and configured correctly, repeated failed login attempts should automatically be banned from connecting to your server.