Crowdsec

Crowdsec is a crowdsourced intrusion detection and prevention system (IDS/IPS) that will detect suspicious login activity and ban IP addresses. These bans result from both a) local detection of e.g. brute-force login attempts based on the Paperless-ngx log files and b) the real-time community feed of aggressive IPs (IPs that show malicious activity within the Crowdsec user community, will be added to this list).

Install the Paperless-ngx collection via Crowdsec's cscli tool.

sudo cscli collections install andreasbrett/paperless-ngx
Point Crowdsec to your Paperless-ngx logfile

Edit /etc/crowdsec/acquis.yaml with your preferred text editor and add a section pointing to the location of your Paperless-ngx log. If you have set up Paperless-ngx as a Docker container the log file will reside within the volume you configured. The absolute path for Docker volumes should be /var/lib/docker/volumes/....
```
---
filenames:
    - /var/lib/docker/volumes/paperless_data/_data/log/paperless.log
labels:
type: Paperless-ngx
```
Reload Crowdsec configuration

sudo systemctl reload crowdsec

Fail2ban

Fail2ban is a powerful tool for securing your server by monitoring log files for suspicious activity and banning IP addresses that exhibit malicious behavior.

Create the Fail2ban Jail

The first step is to create a fail2ban jail configuration file for Paperless. Open your preferred text editor and create a new file named paperless.conf in the /etc/fail2ban/jail.d/ directory.

Add the following contents to the file:
```
[paperless]
enabled  = true
maxretry = 5
filter   = paperless
logpath  = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log 
chain    = DOCKER-USER
port     = 8000
[paperless_proxy]
enabled  = true
maxretry = 5
filter   = paperless
logpath  = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log
port     = http,https
```
If the Paperless Docker volumes are located to a different location (/var/lib/docker/volumes/), modify the logpath accordingly.

If you are not using a reverse proxy to access Paperless you can remove the [paperless_proxy] section.
Create the Fail2ban Filter File

This file will define the pattern that fail2ban will look for in the Paperless log file to identify malicious activity.

Create a new file named paperless.conf in the /etc/fail2ban/filter.d/ directory.

If you're using Paperless v1.14.0 to v1.16.5 add the following contents to the file:
```
[Definition]
failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>\.`$
ignoreregex =
```
If you're using Paperless v1.16.6 or newer add the following contents to the file:
```
[Definition]
failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$
ignoreregex =
```
Restart fail2ban

Now that the jail and filter files have been created, you need to restart fail2ban for the changes to take effect.
```
$ sudo systemctl restart fail2ban
```
Test the Fail2ban Jail

To test that the jail is working correctly, try logging into Paperless with an incorrect username or password multiple times from a different IP address. After the fifth attempt, fail2ban should ban the IP address.

You can view the status of the jail by running the following command:
```
$ sudo fail2ban-client status paperless
$ sudo fail2ban-client status paperless_proxy
```
You can unban an IP address by running the following command:
```
$ sudo fail2ban-client unban xx.xx.xx.xx
```

Home
Lists
- Related Projects
- Hardware & Software Scanner
Setup Help
Examples
- Pre Consume Scripts
- Post Consume Scripts
Platform-Specific Troubleshooting
Ideas
- Backend

Feel free to contribute to the wiki pages - enhance and extend the content!

Also browse Discussions & connect in Matrix chat.