-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setup with Fail2Ban #255
Comments
Yeah, this was added in PR #152 but keep in mind, that bitwarden_rs logs to stdout, so, you need to configure docker (or however you run the service) to log to file instead. As for setting up Fail2Ban, it seems like the only missing bit might be setting up the filter. Maybe @Baelyk submitted the PR for this purpose and already has some configuration? |
I run it in a standard docker container with all persistent data in a 'data' folder. How would I set it up to log the attempts into a file that Fail2Ban can read? |
You can configure logging driver for container or the daemon. Maybe something like |
Sorry if this is really basic, I'm just starting out with docker.
to my docker-compose file? |
I think that should work. |
I added that and started the container, now when I run |
I guess that's expected as it now logs to syslog. Now you need to figure out where does syslog store the messages. |
OK so I've made a little progress. I found where the syslog is and it works. Mostly. It logs attempts made if the username looks like an email address, like asdf@asdf.com. But if I try to log in with a random username, like "asdfl" then no logging is made. I'm assuming this is expected behavior? |
Yeah, if it's not valid email, it's rejected on the client side, so there's no request reaching server. However if you called the login API endpoint manually you would see the log. |
Gotcha, Now I have the syslog working and made it a little more human friendly with the 'tag' option. Now I just need to create the fail2ban filter. |
GOT IT! OK, here we go.
Which made my syslog at /var/log/syslog report this:
Then comes the jail
And it WORKS! This is my first time creating anything like this so if anyone has any suggestions or improvements, PLEASE feel free to say so. |
Maybe a small suggestion there to improve the regex: failregex = ^%(__prefix_line)s.*Bitwarden.* ERROR: Username or password is incorrect. Try again. IP: <HOST>\. Username:.*$ Note the extra characters after Also maybe create a PR to add this documentation if you feel like? (something like a proxy with whole documentation in extra file and then link to it from README.md) |
Hey, I tried to create the filter by your steps.
When i try to start I get |
Sorry I just saw this. Do you still need help? |
@itr6 No problem. Yes, please :) |
@Biepa
|
@itr6 The failregex was right. Started now, thanks for the help. |
Aw, yea. Make sure those brackets are there. Glad it is working for you! |
@mprasil I know this issue is closed, but I wanted to leave a comment here as it's the most relevant thread. I'm wanting to get fail2ban setup and working on my Bitwarden instance, but this is my first time heavily messing with docker/docker-compose so I'm a bit of a noob. I'm running Ubuntu 18.04, and I cannot find my docker-compose.yml file anywhere...is this something we have to manually create for the first time? I've read that the default path is ./docker-compose.yml. And if this is indeed something that needs to be created from scratch, then would you be willing to share the whole relevant structure of your docker-compose.yml file? I tried making one from scratch, but since I really don't fully understand what I'm doing yet I just encountered error after error. Thank you! |
Hi @dohlin, I don't use docker compose in my setup, so I don't have tested configuration to share, perhaps @itr6 can share his setup? But yeah, you need to create the file from scratch. Something like this should work: version: '3'
services:
bitwarden_web:
image: "mprasil/bitwarden"
restart: "always"
volumes:
- "/local_bw_data:/data"
logging:
driver: "syslog"
options:
tag: "$TAG" Note that you don't necessarily need to use docker compose to setup fail2ban. If you already run Hope that helps. |
@mprasil Thank you, that's very helpful and explains a lot. I really appreciate the easy explanation. It would appear that after digging into it a little more, since I'm serving this behind an Apache reverse proxy, that I would have to do a bit more work to get this to work as whenever there's a failed login Bitwarden sees it as coming from my reverse proxy server IP address. I might do some further digging down the road but for now I think my best best is a strong master password paired with OTP 2FA. Thanks again!! |
I think |
@mprasil Interesting...should that be as simple as adding a line that says RemoteIPHeader X-Forwarded-For to the Apache virtualhost config file that controls the bitwarden site? I tried that and it didn't work. I also found SetEnvIf X-Forwarded-For "^......." forwarded elsewhere online, tried that and it didn't work either. I've enabled mod_remoteip in Apache and it doesn't complain about the config or anything so I think I've got it all set up right, but when I fail a login I still see the 192.168.1.x IP that is my reverse proxy IP. EDIT: I tried the instructions here and can confirm that in the last step when viewing the log my public IP address shows up as expected...unfortunately failed logins on Bitwarden still show as being from the private IP of my reverse proxy server. Also looked through everything else I can find online, from adding different config options to apache.conf and the individual virtual host conf, to modules such as rpaf and no matter what I do the results are still the same. :( |
Should we add this to the README for people who don't use docker compose? I am not very experienced with docker and I was very confused following the instructions for fail2ban because it a) assumed I was using docker-compose without providing instructions for how to use docker-compose and b) didn't mention you could do it without docker-compose |
Good point! There are some changes around logging in the latest beta. So we will probably need to revisit this whole setup anyways. |
@Algebro7 I prefer compose so I can navigate to my folder where my yaml file is (IE /opt/bitwarden) and run: |
Hi there! Sorry to add on to an already closed issue but I'm not sure if this warrants a new one or if I'm only facing this due to some weird setup. My log line differs slightly from this issue (and in the documentation):
No problem, I'll try my hand at writing an appropriate failregex to account for the additional bits:
No dice. I get 0 matches:
Would be really thankful for another pair of eyes on my regex to see what I missed! |
@jeslinmx |
@jeslinmx Scratch the above. Try this:
|
Note, that if you use latest docker image (or build from master) the logformat changed a bit. The release notes for 1.5.0 (not out yet) warn about that change. |
@mprasil Thanks for the heads up. I keep an eye out for the new version and make changes to the setup. |
@itr6 oh goodness. The reason mine was failing was because I left out the space after Anyway, I have generalized it to:
There is no need for
where the |
Sounds like you should submit a PR to update the docs @jeslinmx if you can. |
Hello |
I find it ,wow,thanks |
Hi
I have replaced Regards |
@achilleus68 Have you successfully setup the logging of failed logins to a file that you can read from the host system? The part with "/volumex" you wrote is for Synology DSM only I think. So I think you need to continue here: https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup#setup-for-web-vault |
I figured it out
|
Hello all! First off, thank you for this! It is amazing!
I was talking to u/me-ro on the homelab subreddit and they suggested I raise an issue to see if I can get some help with setting up bitwarden and Fail2Ban. He mentioned it logged all the password attempts but I can't find any of the logs.
Can someone please help?
Thanks!
The text was updated successfully, but these errors were encountered: