Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2024-11-26 05:50:29 +01:00
Update README.md
Dieser Commit ist enthalten in:
Ursprung
0f6ab01f77
Commit
b56a905322
1 geänderte Dateien mit 63 neuen und 0 gelöschten Zeilen
63
README.md
63
README.md
|
@ -416,6 +416,69 @@ Note that you can also change the path where bitwarden_rs looks for static files
|
||||||
|
|
||||||
Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
|
Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
|
||||||
|
|
||||||
|
### Fail2Ban Setup
|
||||||
|
|
||||||
|
Bitwarden_rs logs failed login attempts to stdout. We need to set this so the host OS can see these. Then we can setup Fail2Ban.
|
||||||
|
|
||||||
|
#### Logging failed login attempts to syslog
|
||||||
|
|
||||||
|
We need to set the logging driver to syslog so the host OS and Fail2Ban can see them. Add the following to your docker-compose file:
|
||||||
|
```
|
||||||
|
bitwarden:
|
||||||
|
logging:
|
||||||
|
driver: "syslog"
|
||||||
|
options:
|
||||||
|
tag: "$TAG"
|
||||||
|
```
|
||||||
|
With the above settings in the docker-compose file. Any failed login attempts will look like this in your syslog file:
|
||||||
|
`$DATE $TIME $SERVER $TAG[979]: ERROR: Username or password is incorrect. Try again. IP: XX.XX.XX.XX. Username: email@domain.com.`
|
||||||
|
You can change the '$TAG' to anything you like. Just remember it because it will be in the Fail2Ban filter.
|
||||||
|
|
||||||
|
#### Fail2Ban Filter
|
||||||
|
|
||||||
|
Create the filter file
|
||||||
|
```
|
||||||
|
sudo nano /etc/fail2ban/filter.d/bitwarden.conf
|
||||||
|
```
|
||||||
|
And add the following
|
||||||
|
```
|
||||||
|
[INCLUDES]
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
failregex = ^%(__prefix_line)s.*$TAG.* ERROR: Username or password is incorrect. Try again. IP: <HOST>\. Username:.*$
|
||||||
|
ignoreregex =
|
||||||
|
```
|
||||||
|
Dont forget to change the '$TAG' to what you set it as from above.
|
||||||
|
|
||||||
|
#### Fail2ban Jail
|
||||||
|
|
||||||
|
Now we need the jail, create the jail file
|
||||||
|
```
|
||||||
|
sudo nano /etc/fail2ban/jail.d/bitwarden.local
|
||||||
|
```
|
||||||
|
and add:
|
||||||
|
```
|
||||||
|
[bitwarden]
|
||||||
|
enabled = true
|
||||||
|
port = 80,443,8081
|
||||||
|
filter = bitwarden
|
||||||
|
action = iptables-allports[name=bitwarden]
|
||||||
|
logpath = /var/log/syslog
|
||||||
|
maxretry = 3
|
||||||
|
bantime = 14400
|
||||||
|
findtime = 14400
|
||||||
|
```
|
||||||
|
Feel free to change the options as you see fit.
|
||||||
|
|
||||||
|
#### Testing Fail2Ban
|
||||||
|
|
||||||
|
Now just try to login to bitwarden using any email (it doesnt have to be a valid email, just an email format)
|
||||||
|
If it works correctly and your IP is banned, you can unban the ip by running:
|
||||||
|
```
|
||||||
|
sudo fail2ban-client unban XX.XX.XX.XX bitwarden
|
||||||
|
```
|
||||||
|
|
||||||
## Building your own image
|
## Building your own image
|
||||||
|
|
||||||
Clone the repository, then from the root of the repository run:
|
Clone the repository, then from the root of the repository run:
|
||||||
|
|
Laden …
In neuem Issue referenzieren