diff --git a/Fail2Ban-Setup.md b/Fail2Ban-Setup.md index ed5a396..45872e1 100644 --- a/Fail2Ban-Setup.md +++ b/Fail2Ban-Setup.md @@ -1,26 +1,95 @@ -As of release 1.5.0, bitwarden_rs supports logging to file. See [[Logging|logging]] for information on how to set this up. +Setup Fail2ban will prevent attackers to brute force your vault logins. This is particularly important if your instance is publicaly available. -## Logging Failed Login Attempts +## Pre-requisite -After specifying the log file location, failed login attempts will appear in the logs in the following format: +- From Release 1.5.0, Bitwarden_rs supports logging to file. Please set this up : [[Logging|logging]] +- Try to log with a false account and check the log files for folowing format +```` + [YYYY-MM-DD hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com. +```` +## Installation +### Debian / Ubuntu / Raspian ``` -[YYYY-MM-DD hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com. + sudo apt-get install fail2ban -y ``` -Install Fail2Ban (under Debian/Rasbian) +### Fedora / Centos +EPEL repository is necessary (CentOS 7) ``` -sudo apt-get install fail2ban -y + sudo yum install epel-release + sudo yum install fail2ban -y ``` -Under Fedora/CentOS +### Synology DSM +With Synology, a bit more work is needed for various reasons. The main issues are: -EPEL repository necessary (CentOS 7) -``` -sudo yum install epel-release -``` +1. The embeded IP ban system does not work for Docker's containers +2. The iptables embeded do no support the `REJECT` blocktype +3. The Docker GUI does not allow some advanced settings +4. Modifying system configuration is not upgrade-proof + +Therefore, we will use Fail2ban in a docker container. [crazy-max/docker-fail2ban](https://github.com/crazy-max/docker-fail2ban) provides a good solution and the Synology's docker GUI will be ignored. From command line through SSH, here the steps. As convention `volumeX` is to be adapted to your Synology's config. + +0. Get root +```` + sudo -i +```` + +1. Creating persistent folders + +```` + mkdir -p /volumeX/docker/fail2ban/action.d/ + mkdir -p /volumeX/docker/fail2ban/jail.d/ + mkdir -p /volumeX/docker/fail2ban/filter.d/ +```` + +2. Replace `REJECT` by `DROP` blocktype +```` + vim /volumeX/docker/fail2ban/action.d/iptables-common.local + + Copy and paste the following content + + [Init] + blocktype = DROP + [Init?family=inet6] + blocktype = DROP +```` +3. Create docker-compose file +```` + vim /volumeX/docker/fail2ban/docker-compose.yml + + Copy and paste the following content + + version: '3' + services: + fail2ban: + container_name: fail2ban + restart: always + image: crazymax/fail2ban:latest + environment: + - TZ=Europe/Paris + - F2B_DB_PURGE_AGE=30d + - F2B_LOG_TARGET=/data/fail2ban.log + - F2B_LOG_LEVEL=INFO + - F2B_IPTABLES_CHAIN=INPUT + + volumes: + - /volumeX/docker/fail2ban:/data + - /volumeX/docker/bw-data:/bitwarden:ro + + network_mode: "host" + + privileged: true + cap_add: + - NET_ADMIN + - NET_RAW +```` +4. Start the container using command line +```` + cd /volumeX/docker/fail2ban + docker-compose up -d +```` +You should see the container running in Synolog's Docker GUI. You will have to reload after configuring the filters and jails -``` -sudo yum install fail2ban -y -``` ## Fail2Ban Filter Create the filter file @@ -122,78 +191,3 @@ type=AVC msg=audit(1571777936.719:2193): avc: denied { search } for pid=5853 ``` To actually find out the reason you can use `grep 'type=AVC msg=audit(1571777936.719:2193)' /var/log/audit/audit.log | audit2why`. `audit2allow -a` will give you specific instructions on how to create a module and allow fail2ban to access these logs. Follow these steps and you're done! fail2ban should now work correctly. -## Setup on Synology -Synology, due to DSM system need a bit more work. The main constrains are: - -1. The embeded IP ban system does not work on Docker's containers -2. The iptables embeded do no support the `REJECT` instruction -3. The Docker GUI does not allow some advanced settings - -I choosed to rely on [crazy-max/docker-fail2ban](https://github.com/crazy-max/docker-fail2ban). Please adapt the following to your context - -`mkdir /volumeX/docker/fail2ban` -`touch /volumeX/docker/fail2ban/action.d/iptables-common.local` -Copy and paste the following content - this replace `REJECT` by `DROP` -```` -[Init] -blocktype = DROP -[Init?family=inet6] -blocktype = DROP -```` -`touch /volumeX/docker/fail2ban/filter.d/bitwarden.conf` -Copy and paste the following content -```` -[INCLUDES] -before = common.conf - -[Definition] -failregex = ^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$ -ignoreregex = -```` -`touch /volumeX/docker/fail2ban/jail.d/bitwarden.conf` -Copy and paste the following content -```` -[DEFAULT] -ignoreip = 127.0.0.1/8 192.168.0.0/22 -bantime = 6400 -findtime = 86400 -maxretry = 4 -backend = auto -action = iptables-allports[name=bitwarden] - -[bitwarden] -enabled = true -port = 80,81,443,8081 -filter = bitwarden -logpath = /bitwarden/bitwarden.log -```` -`touch /volumeX/docker/fail2ban/docker-compose.yml` -Copy and paste the following content -```` -version: '3' -services: - fail2ban: - container_name: fail2ban - restart: always - image: crazymax/fail2ban:latest - environment: - - TZ=Europe/Paris - - F2B_DB_PURGE_AGE=30d - - F2B_LOG_TARGET=/data/fail2ban.log - - F2B_LOG_LEVEL=DEBUG - - F2B_IPTABLES_CHAIN=INPUT - - volumes: - - /volumeX/docker/fail2ban:/data - - /volumeX/docker/bw-data:/bitwarden:ro - - network_mode: "host" - - privileged: true - cap_add: - - NET_ADMIN - - NET_RAW -```` -Run the container using `docker-compose up -d` -You now have to test the jail -