paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-04-09 09:58:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

correct alignment

tooomm 2025-01-05 22:42:11 +01:00
parent 57f73e4a1b
commit 63ad69b4eb
1 changed files with 62 additions and 60 deletions

122
Using-Security-Tools-with-Paperless-ngx.md

@ -1,99 +1,101 @@
[Crowdsec](#crowdsec) | [Fail2ban](#fail2ban) [Crowdsec](#crowdsec) | [Fail2ban](#fail2ban)
# Crowdsec # Crowdsec
> [Crowdsec](https://www.crowdsec.net/) is a crowdsourced intrusion detection and prevention system (IDS/IPS) that will detect suspicious login activity and ban IP addresses. These bans result from both a) local detection of e.g. brute-force login attempts based on the Paperless-ngx log files and b) the real-time community feed of aggressive IPs (IPs that show malicious activity within the Crowdsec user community, will be added to this list). > [Crowdsec](https://www.crowdsec.net/) is a crowdsourced intrusion detection and prevention system (IDS/IPS) that will detect suspicious login activity and ban IP addresses. These bans result from both a) local detection of e.g. brute-force login attempts based on the Paperless-ngx log files and b) the real-time community feed of aggressive IPs (IPs that show malicious activity within the Crowdsec user community, will be added to this list).
1. Install the [Paperless-ngx collection](https://hub.crowdsec.net/author/andreasbrett/collections/paperless-ngx) via Crowdsec's `cscli` tool. 1. Install the [Paperless-ngx collection](https://hub.crowdsec.net/author/andreasbrett/collections/paperless-ngx) via Crowdsec's `cscli` tool.
`sudo cscli collections install andreasbrett/paperless-ngx` `sudo cscli collections install andreasbrett/paperless-ngx`
2. Point Crowdsec to your Paperless-ngx logfile 2. Point Crowdsec to your Paperless-ngx logfile
Edit `/etc/crowdsec/acquis.yaml` with your preferred text editor and add a section pointing to the location of your Paperless-ngx log. If you have set up Paperless-ngx as a Docker container the log file will reside within the volume you configured. The absolute path for Docker volumes should be `/var/lib/docker/volumes/...`. Edit `/etc/crowdsec/acquis.yaml` with your preferred text editor and add a section pointing to the location of your Paperless-ngx log. If you have set up Paperless-ngx as a Docker container the log file will reside within the volume you configured. The absolute path for Docker volumes should be `/var/lib/docker/volumes/...`.
``` ```
--- ---
filenames: filenames:
- /var/lib/docker/volumes/paperless_data/_data/log/paperless.log - /var/lib/docker/volumes/paperless_data/_data/log/paperless.log
labels: labels:
type: Paperless-ngx type: Paperless-ngx
``` ```
3. Reload Crowdsec configuration 3. Reload Crowdsec configuration
`sudo systemctl reload crowdsec` `sudo systemctl reload crowdsec`
# Fail2ban # Fail2ban
> [Fail2ban](https://github.com/fail2ban/fail2ban) is a powerful tool for securing your server by monitoring log files for suspicious activity and banning IP addresses that exhibit malicious behavior. > [Fail2ban](https://github.com/fail2ban/fail2ban) is a powerful tool for securing your server by monitoring log files for suspicious activity and banning IP addresses that exhibit malicious behavior.
1. Create the Fail2ban Jail 1. Create the Fail2ban Jail
The first step is to create a fail2ban jail configuration file for Paperless. Open your preferred text editor and create a new file named `paperless.conf` in the `/etc/fail2ban/jail.d/` directory. The first step is to create a fail2ban jail configuration file for Paperless. Open your preferred text editor and create a new file named `paperless.conf` in the `/etc/fail2ban/jail.d/` directory.
Add the following contents to the file: Add the following contents to the file:
```bash ```bash
[paperless] [paperless]
enabled = true enabled = true
maxretry = 5 maxretry = 5
filter = paperless filter = paperless
logpath = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log logpath = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log
chain = DOCKER-USER chain = DOCKER-USER
port = 8000 port = 8000
[paperless_proxy] [paperless_proxy]
enabled = true enabled = true
maxretry = 5 maxretry = 5
filter = paperless filter = paperless
logpath = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log logpath = /var/lib/docker/volumes/paperless_data/_data/log/paperless.log
port = http,https port = http,https
``` ```
If the Paperless Docker volumes are located to a different location (`/var/lib/docker/volumes/`), modify the `logpath` accordingly. If the Paperless Docker volumes are located to a different location (`/var/lib/docker/volumes/`), modify the `logpath` accordingly.
If you are not using a reverse proxy to access Paperless you can remove the `[paperless_proxy]` section. If you are not using a reverse proxy to access Paperless you can remove the `[paperless_proxy]` section.
2. Create the Fail2ban Filter File 2. Create the Fail2ban Filter File
This file will define the pattern that fail2ban will look for in the Paperless log file to identify malicious activity. This file will define the pattern that fail2ban will look for in the Paperless log file to identify malicious activity.
Create a new file named `paperless.conf` in the `/etc/fail2ban/filter.d/` directory. Create a new file named `paperless.conf` in the `/etc/fail2ban/filter.d/` directory.
If you're using Paperless v1.14.0 to v1.16.5 add the following contents to the file: If you're using Paperless v1.14.0 to v1.16.5 add the following contents to the file:
``` ```
[Definition] [Definition]
failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>\.`$ failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>\.`$
ignoreregex = ignoreregex =
``` ```
If you're using Paperless v1.16.6 or newer add the following contents to the file: If you're using Paperless v1.16.6 or newer add the following contents to the file:
``` ```
[Definition] [Definition]
failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$ failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$
ignoreregex = ignoreregex =
``` ```
3. Restart fail2ban 3. Restart fail2ban
Now that the jail and filter files have been created, you need to restart fail2ban for the changes to take effect. Now that the jail and filter files have been created, you need to restart fail2ban for the changes to take effect.
```bash ```bash
$ sudo systemctl restart fail2ban $ sudo systemctl restart fail2ban
``` ```
4. Test the Fail2ban Jail 4. Test the Fail2ban Jail
To test that the jail is working correctly, try logging into Paperless with an incorrect username or password multiple times from a different IP address. After the fifth attempt, fail2ban should ban the IP address. To test that the jail is working correctly, try logging into Paperless with an incorrect username or password multiple times from a different IP address. After the fifth attempt, fail2ban should ban the IP address.
You can view the status of the jail by running the following command: You can view the status of the jail by running the following command:
```bash ```bash
$ sudo fail2ban-client status paperless $ sudo fail2ban-client status paperless
$ sudo fail2ban-client status paperless_proxy $ sudo fail2ban-client status paperless_proxy
``` ```
You can unban an IP address by running the following command: You can unban an IP address by running the following command:
```bash ```bash
$ sudo fail2ban-client unban xx.xx.xx.xx $ sudo fail2ban-client unban xx.xx.xx.xx
``` ```