code-server/doc/fail2ban.md

# Protecting code-server from bruteforce attempts
code-server outputs all failed login attempts, along with the IP address,
provided password, user agent and timestamp by default.

When using a reverse proxy such as Nginx or Apache, the remote address may
appear to be `127.0.0.1` or a similar address so `X-Forwarded-For` should be
used instead. Ensure that you are setting this value in your reverse proxy:

Nginx:
```
location / {
  ...
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  ...
}
```

Apache:
```
<VirtualEnv>
  ...
  SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
  ...
</VirtualEnv>
```

It is extremely important that you ensure that your code-server instance is not
accessible from the internet (use localhost or block it in your firewall).

## Fail2Ban
Fail2Ban allows for automatically banning and logging repeated failed
authentication attempts for many applications through regex filters. A working
filter for code-server can be found in `./examples/fail2ban.conf`. Once this
is installed and configured correctly, repeated failed login attempts should
automatically be banned from connecting to your server.
Make flags additive and clean up docs This means that you have to turn on features now instead of disabling them like auth and https. In addition: - Allow multiple options for auth (only password for now). - Combine the install docs since they had many commonalities and - generally simplified them (hopefully not too much). - Move all example configs into docs/examples. 2019-07-23 20:38:00 +00:00			`# Protecting code-server from bruteforce attempts`
			`code-server outputs all failed login attempts, along with the IP address,`
			`provided password, user agent and timestamp by default.`

			`When using a reverse proxy such as Nginx or Apache, the remote address may`
			appear to be `127.0.0.1` or a similar address so `X-Forwarded-For` should be
			`used instead. Ensure that you are setting this value in your reverse proxy:`

			`Nginx:`
			```
			`location / {`
			`...`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`...`
			`}`
			```

			`Apache:`
			```
			`<VirtualEnv>`
			`...`
			`SetEnvIf X-Forwarded-For "^.\..\..\.." forwarded`
			`...`
			`</VirtualEnv>`
			```

			`It is extremely important that you ensure that your code-server instance is not`
			`accessible from the internet (use localhost or block it in your firewall).`

			`## Fail2Ban`
			`Fail2Ban allows for automatically banning and logging repeated failed`
			`authentication attempts for many applications through regex filters. A working`
Update fail2ban configuration Fixes #1177. 2019-11-14 17:14:27 +00:00			filter for code-server can be found in `./examples/fail2ban.conf`. Once this
Make flags additive and clean up docs This means that you have to turn on features now instead of disabling them like auth and https. In addition: - Allow multiple options for auth (only password for now). - Combine the install docs since they had many commonalities and - generally simplified them (hopefully not too much). - Move all example configs into docs/examples. 2019-07-23 20:38:00 +00:00			`is installed and configured correctly, repeated failed login attempts should`
			`automatically be banned from connecting to your server.`