vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README
commit bdcdb08fc10b00bb05d91ad089c4dc5ba79a8a33
parent 8b5d97790fd2d2f3767d6f58537f31a25e5a5c59
Author: Daniel GarcĂ­a <dani-garcia@users.noreply.github.com>
Date:   Sat,  1 Dec 2018 14:34:47 +0100

Merge branch 'master' into rocket-0.4

Diffstat:

MDockerfile.aarch64 | 20+++-----------------


MDockerfile.alpine | 20+++++---------------


MDockerfile.armv7 | 17++---------------


MREADME.md | 70++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


4 files changed, 80 insertions(+), 47 deletions(-)

diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
@@ -39,14 +39,8 @@ RUN apt-get update \
 ENV CARGO_HOME "/root/.cargo"
 ENV USER "root"
 
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
 WORKDIR /app
 
-# Copies over *only* your manifests and vendored dependencies
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-
 # Prepare openssl arm64 libs
 RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
         /etc/apt/sources.list.d/deb-src.list \
@@ -61,19 +55,12 @@ ENV CROSS_COMPILE="1"
 ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
 ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
 
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN rustup target add aarch64-unknown-linux-gnu
-RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
-RUN find . -not -path "./target*" -delete
-
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-# Builds again, this time it'll just be
-# your actual source files being built
+# Build
+RUN rustup target add aarch64-unknown-linux-gnu
 RUN cargo build --release --target=aarch64-unknown-linux-gnu -v
 
 ######################## RUNTIME IMAGE  ########################
@@ -109,4 +96,4 @@ COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/bitwarden_rs .
 
 # Configures the startup!
-CMD ./bitwarden_rs
-\ No newline at end of file
+CMD ./bitwarden_rs
diff --git a/Dockerfile.alpine b/Dockerfile.alpine
@@ -26,27 +26,17 @@ RUN npm run dist \
 
 ########################## BUILD IMAGE  ##########################
 # Musl build image for statically compiled binary
-FROM clux/muslrust:nightly-2018-08-24 as build
+FROM clux/muslrust:nightly-2018-11-30 as build
 
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo init --bin
+ENV USER "root"
 
-# Copies over *only* your manifests and vendored dependencies
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --release
-RUN find . -not -path "./target*" -delete
+WORKDIR /app
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-# Builds again, this time it'll just be
-# your actual source files being built
+# Build
 RUN cargo build --release
 
 ######################## RUNTIME IMAGE  ########################
@@ -75,7 +65,7 @@ EXPOSE 3012
 COPY .env .
 COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
-COPY --from=build /volume/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs .
 
 # Configures the startup!
 CMD ./bitwarden_rs
diff --git a/Dockerfile.armv7 b/Dockerfile.armv7
@@ -39,14 +39,8 @@ RUN apt-get update \
 ENV CARGO_HOME "/root/.cargo"
 ENV USER "root"
 
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin app
 WORKDIR /app
 
-# Copies over *only* your manifests and vendored dependencies
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-
 # Prepare openssl armhf libs
 RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
         /etc/apt/sources.list.d/deb-src.list \
@@ -61,19 +55,12 @@ ENV CROSS_COMPILE="1"
 ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
 ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
 
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN rustup target add armv7-unknown-linux-gnueabihf
-RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
-RUN find . -not -path "./target*" -delete
-
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
 COPY . .
 
-# Builds again, this time it'll just be
-# your actual source files being built
+# Build
+RUN rustup target add armv7-unknown-linux-gnueabihf
 RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v
 
 ######################## RUNTIME IMAGE  ########################
diff --git a/README.md b/README.md
@@ -40,6 +40,11 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward
   - [Password hint display](#password-hint-display)
   - [Disabling or overriding the Vault interface hosting](#disabling-or-overriding-the-vault-interface-hosting)
   - [Other configuration](#other-configuration)
+  - [Fail2Ban Setup](#fail2ban-setup)
+    - [Logging Failed Login Attempts to Syslog](#logging-failed-login-attempts-to-syslog)
+    - [Fail2Ban Filter](#fail2ban-filter)
+    - [Fail2Ban Jail](#fail2ban-jail)
+    - [Testing Fail2Ban](#testing-fail2ban)
 - [Building your own image](#building-your-own-image)
 - [Building binary](#building-binary)
 - [Available packages](#available-packages)
@@ -416,6 +421,71 @@ Note that you can also change the path where bitwarden_rs looks for static files
 
 Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
 
+### Fail2Ban Setup
+
+Bitwarden_rs logs failed login attempts to stdout. We need to set this so the host OS can see these. Then we can setup Fail2Ban.
+
+#### Logging Failed Login Attempts to Syslog
+
+We need to set the logging driver to syslog so the host OS and Fail2Ban can see them. Add the following to your docker-compose file:
+```
+  bitwarden:
+    logging:
+      driver: "syslog"
+      options:
+        tag: "$TAG"
+```
+With the above settings in the docker-compose file. Any failed login attempts will look like this in your syslog file:
+```
+$DATE $TIME $SERVER $TAG[979]: ERROR: Username or password is incorrect. Try again. IP: XX.XX.XX.XX. Username: email@domain.com.
+```
+You can change the '$TAG' to anything you like. Just remember it because it will be in the Fail2Ban filter.
+
+#### Fail2Ban Filter
+
+Create the filter file
+```
+sudo nano /etc/fail2ban/filter.d/bitwarden.conf
+```
+And add the following
+```
+[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^%(__prefix_line)s.*$TAG.* ERROR: Username or password is incorrect. Try again. IP: <HOST>\. Username:.*$
+ignoreregex =
+```
+Dont forget to change the '$TAG' to what you set it as from above.
+
+#### Fail2Ban Jail
+
+Now we need the jail, create the jail file
+```
+sudo nano /etc/fail2ban/jail.d/bitwarden.local
+```
+and add:
+```
+[bitwarden]
+enabled = true
+port = 80,443,8081
+filter = bitwarden
+action = iptables-allports[name=bitwarden]
+logpath = /var/log/syslog
+maxretry = 3
+bantime = 14400
+findtime = 14400
+```
+Feel free to change the options as you see fit.
+
+#### Testing Fail2Ban
+
+Now just try to login to bitwarden using any email (it doesnt have to be a valid email, just an email format)
+If it works correctly and your IP is banned, you can unban the ip by running:
+```
+sudo fail2ban-client unban XX.XX.XX.XX bitwarden
+```
+
 ## Building your own image
 
 Clone the repository, then from the root of the repository run: