From 63ad69b4eb7967c76fa836bc1e3cca48d1d25e0c Mon Sep 17 00:00:00 2001 From: tooomm Date: Sun, 5 Jan 2025 22:42:11 +0100 Subject: [PATCH] correct alignment --- Using-Security-Tools-with-Paperless-ngx.md | 122 +++++++++++---------- 1 file changed, 62 insertions(+), 60 deletions(-) diff --git a/Using-Security-Tools-with-Paperless-ngx.md b/Using-Security-Tools-with-Paperless-ngx.md index c491749..9115630 100644 --- a/Using-Security-Tools-with-Paperless-ngx.md +++ b/Using-Security-Tools-with-Paperless-ngx.md @@ -1,99 +1,101 @@ [Crowdsec](#crowdsec) | [Fail2ban](#fail2ban) + # Crowdsec > [Crowdsec](https://www.crowdsec.net/) is a crowdsourced intrusion detection and prevention system (IDS/IPS) that will detect suspicious login activity and ban IP addresses. These bans result from both a) local detection of e.g. brute-force login attempts based on the Paperless-ngx log files and b) the real-time community feed of aggressive IPs (IPs that show malicious activity within the Crowdsec user community, will be added to this list). 1. Install the [Paperless-ngx collection](https://hub.crowdsec.net/author/andreasbrett/collections/paperless-ngx) via Crowdsec's `cscli` tool. -`sudo cscli collections install andreasbrett/paperless-ngx` + `sudo cscli collections install andreasbrett/paperless-ngx` 2. Point Crowdsec to your Paperless-ngx logfile -Edit `/etc/crowdsec/acquis.yaml` with your preferred text editor and add a section pointing to the location of your Paperless-ngx log. If you have set up Paperless-ngx as a Docker container the log file will reside within the volume you configured. The absolute path for Docker volumes should be `/var/lib/docker/volumes/...`. + Edit `/etc/crowdsec/acquis.yaml` with your preferred text editor and add a section pointing to the location of your Paperless-ngx log. If you have set up Paperless-ngx as a Docker container the log file will reside within the volume you configured. The absolute path for Docker volumes should be `/var/lib/docker/volumes/...`. -``` ---- -filenames: - - /var/lib/docker/volumes/paperless_data/_data/log/paperless.log -labels: + ``` + --- + filenames: + - /var/lib/docker/volumes/paperless_data/_data/log/paperless.log + labels: type: Paperless-ngx -``` + ``` 3. Reload Crowdsec configuration -`sudo systemctl reload crowdsec` + `sudo systemctl reload crowdsec` + # Fail2ban > [Fail2ban](https://github.com/fail2ban/fail2ban) is a powerful tool for securing your server by monitoring log files for suspicious activity and banning IP addresses that exhibit malicious behavior. - 1. Create the Fail2ban Jail +1. Create the Fail2ban Jail - The first step is to create a fail2ban jail configuration file for Paperless. Open your preferred text editor and create a new file named `paperless.conf` in the `/etc/fail2ban/jail.d/` directory. + The first step is to create a fail2ban jail configuration file for Paperless. Open your preferred text editor and create a new file named `paperless.conf` in the `/etc/fail2ban/jail.d/` directory. - Add the following contents to the file: + Add the following contents to the file: - ```bash - [paperless] - enabled = true - maxretry = 5 - filter = paperless - logpath = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log - chain = DOCKER-USER - port = 8000 - [paperless_proxy] - enabled = true - maxretry = 5 - filter = paperless - logpath = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log - port = http,https - ``` + ```bash + [paperless] + enabled = true + maxretry = 5 + filter = paperless + logpath = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log + chain = DOCKER-USER + port = 8000 + [paperless_proxy] + enabled = true + maxretry = 5 + filter = paperless + logpath = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log + port = http,https + ``` - If the Paperless Docker volumes are located to a different location (`/var/lib/docker/volumes/`), modify the `logpath` accordingly. + If the Paperless Docker volumes are located to a different location (`/var/lib/docker/volumes/`), modify the `logpath` accordingly. - If you are not using a reverse proxy to access Paperless you can remove the `[paperless_proxy]` section. + If you are not using a reverse proxy to access Paperless you can remove the `[paperless_proxy]` section. - 2. Create the Fail2ban Filter File +2. Create the Fail2ban Filter File - This file will define the pattern that fail2ban will look for in the Paperless log file to identify malicious activity. + This file will define the pattern that fail2ban will look for in the Paperless log file to identify malicious activity. - Create a new file named `paperless.conf` in the `/etc/fail2ban/filter.d/` directory. + Create a new file named `paperless.conf` in the `/etc/fail2ban/filter.d/` directory. - If you're using Paperless v1.14.0 to v1.16.5 add the following contents to the file: + If you're using Paperless v1.14.0 to v1.16.5 add the following contents to the file: - ``` - [Definition] - failregex = Login failed for user `.*` from (?:IP|private IP) `\.`$ - ignoreregex = - ``` + ``` + [Definition] + failregex = Login failed for user `.*` from (?:IP|private IP) `\.`$ + ignoreregex = + ``` - If you're using Paperless v1.16.6 or newer add the following contents to the file: + If you're using Paperless v1.16.6 or newer add the following contents to the file: - ``` - [Definition] - failregex = Login failed for user `.*` from (?:IP|private IP) ``\.$ - ignoreregex = - ``` + ``` + [Definition] + failregex = Login failed for user `.*` from (?:IP|private IP) ``\.$ + ignoreregex = + ``` - 3. Restart fail2ban +3. Restart fail2ban - Now that the jail and filter files have been created, you need to restart fail2ban for the changes to take effect. + Now that the jail and filter files have been created, you need to restart fail2ban for the changes to take effect. - ```bash - $ sudo systemctl restart fail2ban - ``` + ```bash + $ sudo systemctl restart fail2ban + ``` - 4. Test the Fail2ban Jail +4. Test the Fail2ban Jail - To test that the jail is working correctly, try logging into Paperless with an incorrect username or password multiple times from a different IP address. After the fifth attempt, fail2ban should ban the IP address. + To test that the jail is working correctly, try logging into Paperless with an incorrect username or password multiple times from a different IP address. After the fifth attempt, fail2ban should ban the IP address. - You can view the status of the jail by running the following command: + You can view the status of the jail by running the following command: - ```bash - $ sudo fail2ban-client status paperless - $ sudo fail2ban-client status paperless_proxy - ``` + ```bash + $ sudo fail2ban-client status paperless + $ sudo fail2ban-client status paperless_proxy + ``` - You can unban an IP address by running the following command: - ```bash - $ sudo fail2ban-client unban xx.xx.xx.xx - ``` \ No newline at end of file + You can unban an IP address by running the following command: + ```bash + $ sudo fail2ban-client unban xx.xx.xx.xx + ```