fail2ban - not working with vaultwarden

[ajaskiewiczpl]

Hi, I have vaultwarden installed in docker container:

docker-compose.yml

version: '3'

services:
  bitwarden:
    image: bitwardenrs/server
    container_name: bitwarden
    restart: unless-stopped
    volumes:
      - /mnt/storage/bitwarden:/data
    ports:
      - 3011:80
    environment:
      WEBSOCKET_ENABLED: 'false'
      SIGNUPS_ALLOWED: 'false'
      LOG_FILE: /data/bitwarden.log
      LOG_LEVEL: 'warn'
      EXTENDED_LOGGING: 'true'

I'm trying to configure fail2ban to work with vaultwarden. I am reading official tutorial from github page, and I got following:

Filter file - bitwarden.local:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex = 

jail.local:

[bitwarden]
enabled = true
port = 80,443,3011
filter = bitwarden
logpath = /mnt/storage/bitwarden/bitwarden.log

I attempted to input wrong password many times and I see the expected message Username or password is incorrect in the log file. To verify if fail2ban correctly parses log file I run following command:
fail2ban-regex /mnt/storage/bitwarden/bitwarden.log /etc/fail2ban/filter.d/bitwarden.local and here are results:

Running tests
=============

Use   failregex filter file : bitwarden, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /mnt/storage/bitwarden/bitwarden.log
Use         encoding : UTF-8


Results
=======

Failregex: 87 total
|-  #) [# of hits] regular expression
|   1) [87] ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [684] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 692 lines, 0 ignored, 87 matched, 605 missed
[processed in 0.13 sec]

Looks good. I also checked if there are any errors with jail initialization when fail2ban starts:

2021-05-05 17:05:08,322 fail2ban.jail           [2245503]: INFO    Creating new jail 'bitwarden'
2021-05-05 17:05:08,322 fail2ban.jail           [2245503]: INFO    Jail 'bitwarden' uses pyinotify {}
2021-05-05 17:05:08,331 fail2ban.jail           [2245503]: INFO    Initiated 'pyinotify' backend
2021-05-05 17:05:08,336 fail2ban.actions        [2245503]: INFO      banTime: 31536000
2021-05-05 17:05:08,336 fail2ban.filter         [2245503]: INFO      encoding: UTF-8
2021-05-05 17:05:08,338 fail2ban.filter         [2245503]: INFO    Added logfile: '/mnt/storage/bitwarden/bitwarden.log' (pos = 83630, hash = a6c4780417e498611a0053739b77334ecf701aee)
2021-05-05 17:05:08,343 fail2ban.jail           [2245503]: INFO    Jail 'sshd' started
2021-05-05 17:05:08,345 fail2ban.jail           [2245503]: INFO    Jail 'nginx-http-auth' started
2021-05-05 17:05:08,572 fail2ban.jail           [2245503]: INFO    Jail 'nginx-botsearch' started
2021-05-05 17:05:08,576 fail2ban.jail           [2245503]: INFO    Jail 'php-url-fopen' started
2021-05-05 17:05:08,579 fail2ban.jail           [2245503]: INFO    Jail 'bitwarden' started

As you can see, no errors, however fail2ban is still not even detecting any attempts to login with invalid credentials and is not taking any action - there are no relevant logs in fail2ban log file. Just to be clear, max retries value is 3 and I try to login with invalid password 5 or 6 times within couple of seconds. What am I doing wrong? Why it doesn't work?

[MilesTEG1]

Hello,
I've successfully set-up fail2ban for my Vaultwarden (ex Bitwarden-RS).
how do you installed Vaultwarden in docker ? HOST, BRIDGE ?

I installed in bridge network, on its own bridge network.
I set the port to the one I use on the container's host. Not the one accessible from internet, because it's the 443 port (from my reverse proxy). After writing this, maybe I should have set to 443...

Nevertheless, here my Vaultwarden.local jail.d file :

# /volume1/docker/fail2ban/jail.d/vaultwarden.conf

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 172.16.0.0/12 192.168.0.0/16 10.0.0.0/8

# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
banaction = iptables-allports

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

destemail = email@gmail.com
sender = email@gmail.com
sendername = Fail2Ban
action = %(action_mwl)s

backend = auto


[vaultwarden]
enabled = true
port = 882,3012

# Doit correspondre au nom du fichier .conf dans le dossier filter.d
filter = vaultwarden

logpath = /vaultwarden/vaultwarden.log

I have an identical file for the admin access :

# /volume1/docker/fail2ban/jail.d/vaultwarden-admin.conf

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 172.16.0.0/12 192.168.0.0/16 10.0.0.0/8

# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
banaction = iptables-allports

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

destemail = email@gmail.com
sender = email@gmail.com
sendername = Fail2Ban
action = %(action_mwl)s

backend = auto


[vaultwarden-admin]
enabled = true
port = 882,3012

# Doit correspondre au nom du fichier .conf dans le dossier filter.d
filter = vaultwarden-admin

logpath = /vaultwarden/vaultwarden.log

Dor the filter.d file for vaultwarden admin page :

# /volume1/docker/fail2ban/filter.d/vaultwarden-admin.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =

I just try to log in with a bad password, and it's reflected in the fail2ban.log :

2021-05-03 18:04:50,961 fail2ban.jail           [1]: INFO    Jail 'vaultwarden-admin' started
2021-05-03 18:04:50,963 fail2ban.jail           [1]: INFO    Jail 'vaultwarden' started
2021-05-05 17:21:47,499 fail2ban.filter         [1]: INFO    [vaultwarden] Ignore 192.168.0.100 by ip

192.168.0.100 is my computer's IP address.

Did you set the volume bind:mount for the Vaulwarden log file when you created the fail2ban container ?

[ajaskiewiczpl]

Sorry I edited original post, I should have mentioned that I use docker container. I'm not explicitly setting network driver so it's default. As you can see I exposed port 3011 in that container and in the filter I put all three ports 80,443,3011.

[MilesTEG1]

Sorry I edited original post, I should have mentioned that I use docker container. I'm not explicitly setting network driver so it's default. As you can see I exposed port 3011 in that container and in the filter I put all three ports 80,443,3011.

Ok, So am I. I'm using Docker too, for fail2ban and for Vaultwarden.
Currently you're using the old image (old name : bitwarden_rs). Now it's been renamed to Vaultwarden, so the image too. You should use vaultwarden/server:latest.
Nevertheless, you have a working install, and it's in a bridge network, the default one by Docker.
Almost the same for me, as I create a bridge network especially for Vaultwarden.
You published the 80,443,3011 ports, so it should be those in the jail.d files.

But when I look at your jail.d files, I don't see any action. What action do you use ?
Is there is no action, fail2ban won't do anything, I think...
I add the default section in each jail.d file to be sure there is an action done.

[ajaskiewiczpl]

If I understand correctly how fail2ban works, you don't have to explicitly define actions in each jail. Default action and banaction are defined in jail.conf file. But just to be sure, I added banaction = %(banaction_allports)s in bitwarden jail, and it still doesn't do anything :/ Other jails seems to be working fine - I see that yesterday nginx-botsearch has banned some IP. I don't know what's wrong with the bitwarden jail.

[thangisme]

I'm having the same issue. Did you find any solution?

[fraggy2k]

Same problem here, but now it is working for me.

1. Make sure you use start fail2ban with --network host --cap-add NET_ADMIN --cap-add NET_RAW
2. Read the issue with "nftables" which is issues on some distros Will you support nftables? crazy-max/docker-fail2ban#29 (comment)
3. I've added the files "action.d/nftables-input.conf" & "action.d/nftables-forward.conf" and changed the "banaction = nftables-forward" and that's it!