code-server-2/doc/fail2ban.md

1.1 KiB

Protecting code-server from bruteforce attempts

code-server outputs all failed login attempts, along with the IP address, provided password, user agent and timestamp by default.

When using a reverse proxy such as Nginx or Apache, the remote address may appear to be 127.0.0.1 or a similar address so X-Forwarded-For should be used instead. Ensure that you are setting this value in your reverse proxy:

Nginx:

location / {
  ...
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  ...
}

Apache:

<VirtualEnv>
  ...
  SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
  ...
</VirtualEnv>

It is extremely important that you ensure that your code-server instance is not accessible from the internet (use localhost or block it in your firewall).

Fail2Ban

Fail2Ban allows for automatically banning and logging repeated failed authentication attempts for many applications through regex filters. A working filter for code-server can be found in ./code-server.fail2ban.conf. Once this is installed and configured correctly, repeated failed login attempts should automatically be banned from connecting to your server.