From 74c62744a3a041d4fd052ac0a7c6da762b650f27 Mon Sep 17 00:00:00 2001 From: Ayane Satomi Date: Wed, 18 Sep 2019 23:22:31 +0800 Subject: [PATCH] Created Securing your code-server instance from attacks (markdown) --- ...-your-code-server-instance-from-attacks.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 Securing-your-code-server-instance-from-attacks.md diff --git a/Securing-your-code-server-instance-from-attacks.md b/Securing-your-code-server-instance-from-attacks.md new file mode 100644 index 0000000..6a60c35 --- /dev/null +++ b/Securing-your-code-server-instance-from-attacks.md @@ -0,0 +1,34 @@ +code-server outputs all failed login attempts, along with the IP address, +provided password, user agent and timestamp by default. + +When using a reverse proxy such as Nginx or Apache, the remote address may +appear to be `127.0.0.1` or a similar address so `X-Forwarded-For` should be +used instead. Ensure that you are setting this value in your reverse proxy: + +Nginx: +``` +location / { + ... + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ... +} +``` + +Apache: +``` + + ... + SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded + ... + +``` + +It is extremely important that you ensure that your code-server instance is not +accessible from the internet (use localhost or block it in your firewall). + +## Fail2Ban +Fail2Ban allows for automatically banning and logging repeated failed +authentication attempts for many applications through regex filters. A working +filter for code-server can be found in `./code-server.fail2ban.conf`. Once this +is installed and configured correctly, repeated failed login attempts should +automatically be banned from connecting to your server. \ No newline at end of file