vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README
commit b56a9053225552007c807754ec93aa621887fbf3
parent 0f6ab01f777700c68aee8fcf0cbf0be742c286e1
Author: itr6 <44070017+itr6@users.noreply.github.com>
Date:   Thu, 29 Nov 2018 10:42:53 -0600

Update README.md
Diffstat:

MREADME.md | 63+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


1 file changed, 63 insertions(+), 0 deletions(-)

diff --git a/README.md b/README.md
@@ -416,6 +416,69 @@ Note that you can also change the path where bitwarden_rs looks for static files
 
 Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
 
+### Fail2Ban Setup
+
+Bitwarden_rs logs failed login attempts to stdout. We need to set this so the host OS can see these. Then we can setup Fail2Ban.
+
+#### Logging failed login attempts to syslog
+
+We need to set the logging driver to syslog so the host OS and Fail2Ban can see them. Add the following to your docker-compose file:
+```
+  bitwarden:
+    logging:
+      driver: "syslog"
+      options:
+        tag: "$TAG"
+```
+With the above settings in the docker-compose file. Any failed login attempts will look like this in your syslog file:
+`$DATE $TIME $SERVER $TAG[979]: ERROR: Username or password is incorrect. Try again. IP: XX.XX.XX.XX. Username: email@domain.com.`
+You can change the '$TAG' to anything you like. Just remember it because it will be in the Fail2Ban filter.
+
+#### Fail2Ban Filter
+
+Create the filter file
+```
+sudo nano /etc/fail2ban/filter.d/bitwarden.conf
+```
+And add the following
+```
+[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^%(__prefix_line)s.*$TAG.* ERROR: Username or password is incorrect. Try again. IP: <HOST>\. Username:.*$
+ignoreregex =
+```
+Dont forget to change the '$TAG' to what you set it as from above.
+
+#### Fail2ban Jail
+
+Now we need the jail, create the jail file
+```
+sudo nano /etc/fail2ban/jail.d/bitwarden.local
+```
+and add:
+```
+[bitwarden]
+enabled = true
+port = 80,443,8081
+filter = bitwarden
+action = iptables-allports[name=bitwarden]
+logpath = /var/log/syslog
+maxretry = 3
+bantime = 14400
+findtime = 14400
+```
+Feel free to change the options as you see fit.
+
+#### Testing Fail2Ban
+
+Now just try to login to bitwarden using any email (it doesnt have to be a valid email, just an email format)
+If it works correctly and your IP is banned, you can unban the ip by running:
+```
+sudo fail2ban-client unban XX.XX.XX.XX bitwarden
+```
+
 ## Building your own image
 
 Clone the repository, then from the root of the repository run: