fail2ban rule for API? #540

New Issue

adam · 2025-12-29T02:19:40+01:00

adam commented

2025-12-29 02:19:40 +01:00

Originally created by @unusualevent on GitHub (Aug 6, 2023).

Why

If headscale is part of the outer services of a network (along with email servers), it'd be great to have strong tooling to monitor and block attempts to authenticate to it, to disallow bruteforcing.

This is important for things like the API, but less well defined for things like wireguard itself, which doesn't provide good logging for key attempts for use in blocking. At least the other negotiation ports on headscale would be more secured.

Description

It would be nice to have a recommended filter & block action for headscale, to be used in fail2ban.

these can simply be documented in a section entitled "hardening".

For example:

Vaultwarden's fail2ban documentation: https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
Mailu's fail2ban documentation: https://mailu.io/1.9/faq.html#do-you-support-fail2ban

you would need:

a consistent location for authorization failures in logs
a consistent regular expression for failures (to make a filter)
a good action for failures (in mailu since it's containers it's slightly different) - to make the jail file
a good spot in the documentation to place it
a network to test the fail2ban rules with

Originally created by @unusualevent on GitHub (Aug 6, 2023). ## Why If headscale is part of the outer services of a network (along with email servers), it'd be great to have strong tooling to monitor and block attempts to authenticate to it, to disallow bruteforcing. This is important for things like the API, but less well defined for things like wireguard itself, which doesn't provide good logging for key attempts for use in blocking. At least the other negotiation ports on headscale would be more secured. ## Description It would be nice to have a recommended filter & block action for headscale, to be used in fail2ban. these can simply be documented in a section entitled "hardening". For example: - Vaultwarden's fail2ban documentation: https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup - Mailu's fail2ban documentation: https://mailu.io/1.9/faq.html#do-you-support-fail2ban you would need: 1. a consistent location for authorization failures in logs 2. a consistent regular expression for failures (to make a filter) 3. a good action for failures (in mailu since it's containers it's slightly different) - to make the jail file 4. a good spot in the documentation to place it 5. a network to test the fail2ban rules with

adam added the enhancement label 2025-12-29 02:19:40 +01:00

adam closed this issue

2025-12-29 02:19:40 +01:00

adam commented

2025-12-29 02:19:41 +01:00

@juanfont commented on GitHub (Aug 27, 2023):

This can be implemented in a reverse proxy if needed.

@juanfont commented on GitHub (Aug 27, 2023): This can be implemented in a reverse proxy if needed.

adam commented

2025-12-29 02:19:41 +01:00

@mathmaniac43 commented on GitHub (Jan 18, 2024):

Hello!

I am interested in hardening my Headscale instance as well. I am hosting it behind a Traefik reverse proxy, so I believe I could set up fail2ban or something like that in Traefik, which is great.

However, I am not sure HOW to do that, or specifically how to have Headscale pass along failures to authenticate to the reverse proxy to eventually decide to fail/block. Any guidance or ideas would be appreciated.

Thanks!

@mathmaniac43 commented on GitHub (Jan 18, 2024): Hello! I am interested in hardening my Headscale instance as well. I am hosting it behind a Traefik reverse proxy, so I believe I could set up fail2ban or something like that in Traefik, which is great. However, I am not sure HOW to do that, or specifically how to have Headscale pass along failures to authenticate to the reverse proxy to eventually decide to fail/block. Any guidance or ideas would be appreciated. Thanks!

adam commented

2025-12-29 02:19:42 +01:00

@phs78 commented on GitHub (Jul 19, 2025):

configure traefik to create an access log readable by fail2ban
create a fail2ban filter that catches failregex = ^ - - [.] "GET /api/v1/apikey." 500 .*
create a jail

I have this working. I just need to write it up and I'll share.

@phs78 commented on GitHub (Jul 19, 2025): 1. configure traefik to create an access log readable by fail2ban 2. create a fail2ban filter that catches failregex = ^<HOST> - - \[.*\] "GET /api/v1/apikey.*" 500 .* 3. create a jail I have this working. I just need to write it up and I'll share.

adam commented

2025-12-29 02:19:42 +01:00

@numericOverflow commented on GitHub (Dec 28, 2025):

configure traefik to create an access log readable by fail2ban

create a fail2ban filter that catches failregex = ^ - - [.] "GET /api/v1/apikey." 500 .*

create a jail

I have this working. I just need to write it up and I'll share.

@phs78 - you ever get around to sharing? Thought it'd be smart to get headscale hooked up to fail2ban if possible, since I see a ton of IPs that constantly try to connect to my setup.

@numericOverflow commented on GitHub (Dec 28, 2025): > 1. configure traefik to create an access log readable by fail2ban > > 2. create a fail2ban filter that catches failregex = ^ - - [._] "GET /api/v1/apikey._" 500 .* > > 3. create a jail > > > I have this working. I just need to write it up and I'll share. @phs78 - you ever get around to sharing? Thought it'd be smart to get headscale hooked up to fail2ban if possible, since I see a ton of IPs that constantly try to connect to my setup.

adam referenced this issue

2025-12-29 02:30:10 +01:00

[PR #540] [MERGED] Fix key name about derp port in derp-example.yml #1466

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#540