generalredmine

Configure fail2ban

If you want to limit the number of login attempts (and avoid brute-force attacks), install fail2ban and configure it to work with the Bitnami Redmine Stack. Follow these steps:

  • Install fail2ban:

          $ sudo apt-get update
          $ sudo apt-get install fail2ban
    
  • Modify the Redmine /opt/bitnami/redmine/config/environment.rb configuration file to allow the Redmine logger to add timestamps to the production.log file. To do this, add the following lines:

      class Logger
        def format_message(severity, timestamp, progname, msg)
          "#{timestamp} (#{$$}) #{msg}\n"
        end
      end
    
  • Restart the Apache server.

      $ sudo /opt/bitnami/ctlscript.sh restart apache
    

Next, configure fail2ban following the steps below:

  • Create the /etc/fail2ban/filter.d/redmine.conf file with the following code:

      [Definition]
    
      failregex = Failed [-/\w]+ for .* from <HOST>
      ignoreregex =
    
  • Create the /etc/fail2ban/jail.local file and add the code below:

      [redmine]
      enabled = true
      filter = redmine
      port = http,https
      logpath = /opt/bitnami/redmine/log/production.log
      maxretry = 5
      findtime = 600
      bantime = 600
    

    This fail2ban configuration will ban the IP of any user that tried to access five (maxretry) different times in 10 minutes (findtime) without success. Note that the ban only will affect the ports 80 and 443, and the user with the banned IP will not be able to contact the web server for 10 minutes (bantime).

  • Before applying the configuration,test if the regex configuration is correct. To test this, browse to your Bitnami Redmine login page and use a non-existent user/password to get a login error. Then, run this command:

      $ fail2ban-regex /opt/bitnami/redmine/log/production.log /etc/fail2ban/filter.d/redmine.conf
    

    If the last two lines of the output show you at least “1 matched”, the regex is properly configured:

      Lines: 412 lines, 0 ignored, 1 matched, 397 missed
      Missed line(s):: too many to print.  Use --print-all-missed to print all 397 lines
    
  • Apply the configuration with this command

          $ sudo /etc/init.d/fail2ban restart
    

To check if all is working, try logging in five different times with bad credentials. On the fifth unsuccessful attempt, you will be banned for 10 minutes.

Last modification February 9, 2023