MirrorHub/bitwarden_rs
0
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden synced 2024-06-17 19:38:25 +02:00
Code Issues Releases Wiki Activity

Reworked the installation section to integrate nicely the Synology section

La Drôme Laboratoire 2020-03-24 12:51:55 +01:00
parent 21549b3244
commit 36b81b70ae
1 changed files with 83 additions and 89 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

172
Fail2Ban-Setup.md

@ -1,26 +1,95 @@
As of release 1.5.0, bitwarden_rs supports logging to file. See [[Logging|logging]] for information on how to set this up.
Setup Fail2ban will prevent attackers to brute force your vault logins. This is particularly important if your instance is publicaly available.
## Logging Failed Login Attempts
## Pre-requisite
After specifying the log file location, failed login attempts will appear in the logs in the following format:
- From Release 1.5.0, Bitwarden_rs supports logging to file. Please set this up : [[Logging|logging]]
- Try to log with a false account and check the log files for folowing format
````
[YYYY-MM-DD hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com.
````
## Installation
### Debian / Ubuntu / Raspian
```
[YYYY-MM-DD hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com.
sudo apt-get install fail2ban -y
```
Install Fail2Ban (under Debian/Rasbian)
### Fedora / Centos
EPEL repository is necessary (CentOS 7)
```
sudo apt-get install fail2ban -y
sudo yum install epel-release
sudo yum install fail2ban -y
```
Under Fedora/CentOS
### Synology DSM
With Synology, a bit more work is needed for various reasons. The main issues are:
EPEL repository necessary (CentOS 7)
```
sudo yum install epel-release
```
1. The embeded IP ban system does not work for Docker's containers
2. The iptables embeded do no support the `REJECT` blocktype
3. The Docker GUI does not allow some advanced settings
4. Modifying system configuration is not upgrade-proof
Therefore, we will use Fail2ban in a docker container. [crazy-max/docker-fail2ban](https://github.com/crazy-max/docker-fail2ban) provides a good solution and the Synology's docker GUI will be ignored. From command line through SSH, here the steps. As convention `volumeX` is to be adapted to your Synology's config.
0. Get root
````
sudo -i
````
1. Creating persistent folders
````
mkdir -p /volumeX/docker/fail2ban/action.d/
mkdir -p /volumeX/docker/fail2ban/jail.d/
mkdir -p /volumeX/docker/fail2ban/filter.d/
````
2. Replace `REJECT` by `DROP` blocktype
````
vim /volumeX/docker/fail2ban/action.d/iptables-common.local
Copy and paste the following content
[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP
````
3. Create docker-compose file
````
vim /volumeX/docker/fail2ban/docker-compose.yml
Copy and paste the following content
version: '3'
services:
fail2ban:
container_name: fail2ban
restart: always
image: crazymax/fail2ban:latest
environment:
- TZ=Europe/Paris
- F2B_DB_PURGE_AGE=30d
- F2B_LOG_TARGET=/data/fail2ban.log
- F2B_LOG_LEVEL=INFO
- F2B_IPTABLES_CHAIN=INPUT
volumes:
- /volumeX/docker/fail2ban:/data
- /volumeX/docker/bw-data:/bitwarden:ro
network_mode: "host"
privileged: true
cap_add:
- NET_ADMIN
- NET_RAW
````
4. Start the container using command line
````
cd /volumeX/docker/fail2ban
docker-compose up -d
````
You should see the container running in Synolog's Docker GUI. You will have to reload after configuring the filters and jails
```
sudo yum install fail2ban -y
```
## Fail2Ban Filter
Create the filter file
@ -122,78 +191,3 @@ type=AVC msg=audit(1571777936.719:2193): avc: denied { search } for pid=5853
```
To actually find out the reason you can use `grep 'type=AVC msg=audit(1571777936.719:2193)' /var/log/audit/audit.log | audit2why`. `audit2allow -a` will give you specific instructions on how to create a module and allow fail2ban to access these logs. Follow these steps and you're done! fail2ban should now work correctly.
## Setup on Synology
Synology, due to DSM system need a bit more work. The main constrains are:
1. The embeded IP ban system does not work on Docker's containers
2. The iptables embeded do no support the `REJECT` instruction
3. The Docker GUI does not allow some advanced settings
I choosed to rely on [crazy-max/docker-fail2ban](https://github.com/crazy-max/docker-fail2ban). Please adapt the following to your context
`mkdir /volumeX/docker/fail2ban`
`touch /volumeX/docker/fail2ban/action.d/iptables-common.local`
Copy and paste the following content - this replace `REJECT` by `DROP`
````
[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP
````
`touch /volumeX/docker/fail2ban/filter.d/bitwarden.conf`
Copy and paste the following content
````
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
````
`touch /volumeX/docker/fail2ban/jail.d/bitwarden.conf`
Copy and paste the following content
````
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.0/22
bantime = 6400
findtime = 86400
maxretry = 4
backend = auto
action = iptables-allports[name=bitwarden]
[bitwarden]
enabled = true
port = 80,81,443,8081
filter = bitwarden
logpath = /bitwarden/bitwarden.log
````
`touch /volumeX/docker/fail2ban/docker-compose.yml`
Copy and paste the following content
````
version: '3'
services:
fail2ban:
container_name: fail2ban
restart: always
image: crazymax/fail2ban:latest
environment:
- TZ=Europe/Paris
- F2B_DB_PURGE_AGE=30d
- F2B_LOG_TARGET=/data/fail2ban.log
- F2B_LOG_LEVEL=DEBUG
- F2B_IPTABLES_CHAIN=INPUT
volumes:
- /volumeX/docker/fail2ban:/data
- /volumeX/docker/bw-data:/bitwarden:ro
network_mode: "host"
privileged: true
cap_add:
- NET_ADMIN
- NET_RAW
````
Run the container using `docker-compose up -d`
You now have to test the jail