mirror of
https://github.com/danog/code-server.git
synced 2024-12-15 10:47:12 +01:00
36 lines
1.1 KiB
Markdown
36 lines
1.1 KiB
Markdown
|
# Protecting code-server from bruteforce attempts
|
||
|
code-server outputs all failed login attempts, along with the IP address,
|
||
|
provided password, user agent and timestamp by default.
|
||
|
|
||
|
When using a reverse proxy such as Nginx or Apache, the remote address may
|
||
|
appear to be `127.0.0.1` or a similar address so `X-Forwarded-For` should be
|
||
|
used instead. Ensure that you are setting this value in your reverse proxy:
|
||
|
|
||
|
Nginx:
|
||
|
```
|
||
|
location / {
|
||
|
...
|
||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
...
|
||
|
}
|
||
|
```
|
||
|
|
||
|
Apache:
|
||
|
```
|
||
|
<VirtualEnv>
|
||
|
...
|
||
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||
|
...
|
||
|
</VirtualEnv>
|
||
|
```
|
||
|
|
||
|
It is extremely important that you ensure that your code-server instance is not
|
||
|
accessible from the internet (use localhost or block it in your firewall).
|
||
|
|
||
|
## Fail2Ban
|
||
|
Fail2Ban allows for automatically banning and logging repeated failed
|
||
|
authentication attempts for many applications through regex filters. A working
|
||
|
filter for code-server can be found in `./code-server.fail2ban.conf`. Once this
|
||
|
is installed and configured correctly, repeated failed login attempts should
|
||
|
automatically be banned from connecting to your server.
|