Based on my prior installation success with FreshRSS, I felt it was necessary to put it behind a fail2ban filter to drop inbound traffic from abusive external IPs.
My FreshRSS installation is using the simple tarball on top of webroot method; I’m not using containers or anything. It’s all bare metal, so it’s piggybacking off of the same Apache server that’s serving other sites.
For my own notes, and for your edification, here are my fail2ban configs:
/etc/fail2ban/jail.d/freshrss.local :
[freshrss]
enabled = true
port = 80,443
protocol = tcp
filter = freshrss
maxretry = 3
bantime = 10800
logpath = /var/log/apache2/ssl_access.log/etc/fail2ban/filter.d/freshrss.local :
[Definition]
failregex = ^<HOST> .+\" 401 \d+ .*$
ignoreregex=This filter combs the log for anything that looks like an HTTP 401 error. Admittedly, this filter will catch 401’s for all the other sites on this server, but let’s be realistic: that’s a good thing.
# SAMPLE APACHE LOG
# 172.31.13.13 - - [01/Dec/2024:16:27:11 -0600] "POST /freshrss/api/greader.php/accounts/ClientLogin?Email=asdf&Passwd=uuuuu HTTP/1.1" 401 670 "-" "FeedMe/3.16 (com.seazon.feedme; build:206; Android SDK 34)"Save these files, do systemctl reload fail2ban.service so it’ll pick up the new jail. Try a few bad login attempts and voila.
root@server:/etc/fail2ban/filter.d# fail2ban-client status freshrss
Status for the jail: freshrss
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- File list: /var/log/apache2/ssl_access.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 172.31.13.13Additionally, you can test your fail2ban filter regex during development with:
fail2ban-regex /var/log/apache2/ssl_access.log /etc/fail2ban/filter.d/freshrss.localI somehow feel…safer. It’s the little things.