diff options
Diffstat (limited to 'doc/security/rack_attack.md')
| -rw-r--r-- | doc/security/rack_attack.md | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index ad83dc05a93..fa4b0d1fb09 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -1,24 +1,28 @@ +--- +type: reference, howto +--- # Rack Attack -Rack Attack, also known as Rack::Attack, is [a rubygem](https://github.com/kickstarter/rack-attack) +[Rack Attack](https://github.com/kickstarter/rack-attack), also known as Rack::Attack, is a Ruby gem that is meant to protect GitLab with the ability to customize throttling and -blocking user IPs. +to block user IP addresses. + You can prevent brute-force passwords attacks, scrapers, or any other offenders -by throttling requests from IP addresses making large volumes of requests. -In case you find throttling is not enough to protect you against abusive clients, -Rack Attack offers IP whitelisting, blacklisting, Fail2ban style filtering and +by throttling requests from IP addresses that are making large volumes of requests. +If you find throttling is not enough to protect you against abusive clients, +Rack Attack offers IP whitelisting, blacklisting, Fail2ban style filtering, and tracking. **Note:** Starting with 11.2, Rack Attack is disabled by default. To continue -using this feature, please enable it by [configuring `gitlab.rb` as described in Settings](#settings). +using Rack Attack, please enable it by [configuring `gitlab.rb` as described in Settings](#settings). By default, user sign-in, user sign-up (if enabled), and user password reset is limited to 6 requests per minute. After trying for 6 times, the client will have to wait for the next minute to be able to try again. -If you installed or upgraded GitLab by following the [official guides](../install/README.md) -this should be disabled by default. If your instance is not exposed to any incoming -connections, it is recommended to leave Rack Attack disabled. +If you installed or upgraded GitLab by following the [official guides](../install/README.md), +Rack Attack should be disabled by default. If your instance is not exposed to any incoming +connections, it is recommended that you leave Rack Attack disabled. For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). @@ -27,7 +31,7 @@ For more information on how to use these options check out **Omnibus GitLab** -1. Open `/etc/gitlab/gitlab.rb` with you editor +1. Open `/etc/gitlab/gitlab.rb` with your editor 1. Add the following: ```ruby @@ -53,7 +57,7 @@ The following settings can be configured: For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`. - `maxretry`: The maximum amount of times a request can be made in the specified time. -- `findtime`: The maximum amount of time failed requests can count against an IP +- `findtime`: The maximum amount of time that failed requests can count against an IP before it's blacklisted (in seconds). - `bantime`: The total amount of time that a blacklisted IP will be blocked (in seconds). @@ -94,7 +98,7 @@ In case you want to remove a blocked IP, follow these steps: 1. Find the IPs that have been blocked in the production log: ```sh - grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log + grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log ``` 1. Since the blacklist is stored in Redis, you need to open up `redis-cli`: |