From bf1c96695b27a33be16d4b12b108559c34dc5418 Mon Sep 17 00:00:00 2001 From: Miroslav Prasil Date: Tue, 20 Nov 2018 14:55:19 +0000 Subject: [PATCH 1/6] Update dockerfile for alpine, armv7 and aarch64 --- Dockerfile.aarch64 | 18 ++---------------- Dockerfile.alpine | 19 ++++--------------- Dockerfile.armv7 | 18 ++---------------- 3 files changed, 8 insertions(+), 47 deletions(-) diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 1c19c8e4..5fa670ba 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -39,15 +39,8 @@ RUN apt-get update \ ENV CARGO_HOME "/root/.cargo" ENV USER "root" -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin app WORKDIR /app -# Copies over *only* your manifests and vendored dependencies -COPY ./Cargo.* ./ -COPY ./libs ./libs -COPY ./rust-toolchain ./rust-toolchain - # Prepare openssl arm64 libs RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ /etc/apt/sources.list.d/deb-src.list \ @@ -62,19 +55,12 @@ ENV CROSS_COMPILE="1" ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN rustup target add aarch64-unknown-linux-gnu -RUN cargo build --release --target=aarch64-unknown-linux-gnu -v -RUN find . -not -path "./target*" -delete - # Copies the complete project # To avoid copying unneeded files, use .dockerignore COPY . . -# Builds again, this time it'll just be -# your actual source files being built +# Build +RUN rustup target add aarch64-unknown-linux-gnu RUN cargo build --release --target=aarch64-unknown-linux-gnu -v ######################## RUNTIME IMAGE ######################## diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 35626afd..da9680aa 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -26,28 +26,17 @@ RUN npm run dist \ ########################## BUILD IMAGE ########################## # Musl build image for statically compiled binary -FROM clux/muslrust:nightly-2018-08-24 as build +FROM clux/muslrust:nightly-2018-10-03 as build -# Creates a dummy project used to grab dependencies -RUN USER=root cargo init --bin +ENV USER "root" -# Copies over *only* your manifests and vendored dependencies -COPY ./Cargo.* ./ -COPY ./libs ./libs -COPY ./rust-toolchain ./rust-toolchain - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN cargo build --release -RUN find . -not -path "./target*" -delete +WORKDIR /app # Copies the complete project # To avoid copying unneeded files, use .dockerignore COPY . . -# Builds again, this time it'll just be -# your actual source files being built +# Build RUN cargo build --release ######################## RUNTIME IMAGE ######################## diff --git a/Dockerfile.armv7 b/Dockerfile.armv7 index 732a718f..cc77832d 100644 --- a/Dockerfile.armv7 +++ b/Dockerfile.armv7 @@ -39,15 +39,8 @@ RUN apt-get update \ ENV CARGO_HOME "/root/.cargo" ENV USER "root" -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin app WORKDIR /app -# Copies over *only* your manifests and vendored dependencies -COPY ./Cargo.* ./ -COPY ./libs ./libs -COPY ./rust-toolchain ./rust-toolchain - # Prepare openssl armhf libs RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ /etc/apt/sources.list.d/deb-src.list \ @@ -62,19 +55,12 @@ ENV CROSS_COMPILE="1" ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN rustup target add armv7-unknown-linux-gnueabihf -RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v -RUN find . -not -path "./target*" -delete - # Copies the complete project # To avoid copying unneeded files, use .dockerignore COPY . . -# Builds again, this time it'll just be -# your actual source files being built +# Build +RUN rustup target add armv7-unknown-linux-gnueabihf RUN cargo build --release --target=armv7-unknown-linux-gnueabihf -v ######################## RUNTIME IMAGE ######################## From 0935cb90a40aa811e1a618c965250376ffdd440a Mon Sep 17 00:00:00 2001 From: Miroslav Prasil Date: Wed, 21 Nov 2018 23:35:42 +0000 Subject: [PATCH 2/6] fix bad path in Alpine Dockerfile --- Dockerfile.alpine | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.alpine b/Dockerfile.alpine index da9680aa..ebebe0db 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -64,7 +64,7 @@ EXPOSE 3012 COPY .env . COPY Rocket.toml . COPY --from=vault /web-vault ./web-vault -COPY --from=build /volume/target/x86_64-unknown-linux-musl/release/bitwarden_rs . +COPY --from=build /app/target/x86_64-unknown-linux-musl/release/bitwarden_rs . # Configures the startup! CMD ./bitwarden_rs From b56a9053225552007c807754ec93aa621887fbf3 Mon Sep 17 00:00:00 2001 From: itr6 <44070017+itr6@users.noreply.github.com> Date: Thu, 29 Nov 2018 10:42:53 -0600 Subject: [PATCH 3/6] Update README.md --- README.md | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/README.md b/README.md index ed6aff30..81241204 100644 --- a/README.md +++ b/README.md @@ -416,6 +416,69 @@ Note that you can also change the path where bitwarden_rs looks for static files Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables). +### Fail2Ban Setup + +Bitwarden_rs logs failed login attempts to stdout. We need to set this so the host OS can see these. Then we can setup Fail2Ban. + +#### Logging failed login attempts to syslog + +We need to set the logging driver to syslog so the host OS and Fail2Ban can see them. Add the following to your docker-compose file: +``` + bitwarden: + logging: + driver: "syslog" + options: + tag: "$TAG" +``` +With the above settings in the docker-compose file. Any failed login attempts will look like this in your syslog file: +`$DATE $TIME $SERVER $TAG[979]: ERROR: Username or password is incorrect. Try again. IP: XX.XX.XX.XX. Username: email@domain.com.` +You can change the '$TAG' to anything you like. Just remember it because it will be in the Fail2Ban filter. + +#### Fail2Ban Filter + +Create the filter file +``` +sudo nano /etc/fail2ban/filter.d/bitwarden.conf +``` +And add the following +``` +[INCLUDES] +before = common.conf + +[Definition] +failregex = ^%(__prefix_line)s.*$TAG.* ERROR: Username or password is incorrect. Try again. IP: \. Username:.*$ +ignoreregex = +``` +Dont forget to change the '$TAG' to what you set it as from above. + +#### Fail2ban Jail + +Now we need the jail, create the jail file +``` +sudo nano /etc/fail2ban/jail.d/bitwarden.local +``` +and add: +``` +[bitwarden] +enabled = true +port = 80,443,8081 +filter = bitwarden +action = iptables-allports[name=bitwarden] +logpath = /var/log/syslog +maxretry = 3 +bantime = 14400 +findtime = 14400 +``` +Feel free to change the options as you see fit. + +#### Testing Fail2Ban + +Now just try to login to bitwarden using any email (it doesnt have to be a valid email, just an email format) +If it works correctly and your IP is banned, you can unban the ip by running: +``` +sudo fail2ban-client unban XX.XX.XX.XX bitwarden +``` + ## Building your own image Clone the repository, then from the root of the repository run: From 70c20f7f52749bb183421a5c85d8a9a02b0fc10b Mon Sep 17 00:00:00 2001 From: itr6 <44070017+itr6@users.noreply.github.com> Date: Thu, 29 Nov 2018 10:48:41 -0600 Subject: [PATCH 4/6] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 81241204..27a48c9e 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,7 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward - [Password hint display](#password-hint-display) - [Disabling or overriding the Vault interface hosting](#disabling-or-overriding-the-vault-interface-hosting) - [Other configuration](#other-configuration) + - [Fail2Ban Setup](#fail2ban-setup) - [Building your own image](#building-your-own-image) - [Building binary](#building-binary) - [Available packages](#available-packages) From 55579261b7129e2bfd33889edcee8b80de774795 Mon Sep 17 00:00:00 2001 From: itr6 <44070017+itr6@users.noreply.github.com> Date: Thu, 29 Nov 2018 10:49:20 -0600 Subject: [PATCH 5/6] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 27a48c9e..49af2300 100644 --- a/README.md +++ b/README.md @@ -432,7 +432,9 @@ We need to set the logging driver to syslog so the host OS and Fail2Ban can see tag: "$TAG" ``` With the above settings in the docker-compose file. Any failed login attempts will look like this in your syslog file: -`$DATE $TIME $SERVER $TAG[979]: ERROR: Username or password is incorrect. Try again. IP: XX.XX.XX.XX. Username: email@domain.com.` +``` +$DATE $TIME $SERVER $TAG[979]: ERROR: Username or password is incorrect. Try again. IP: XX.XX.XX.XX. Username: email@domain.com. +``` You can change the '$TAG' to anything you like. Just remember it because it will be in the Fail2Ban filter. #### Fail2Ban Filter From 6990525e8a4399c848cabfc99bbd2e761b806b95 Mon Sep 17 00:00:00 2001 From: itr6 <44070017+itr6@users.noreply.github.com> Date: Thu, 29 Nov 2018 10:52:47 -0600 Subject: [PATCH 6/6] Update README.md --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 49af2300..305ad36f 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,10 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward - [Disabling or overriding the Vault interface hosting](#disabling-or-overriding-the-vault-interface-hosting) - [Other configuration](#other-configuration) - [Fail2Ban Setup](#fail2ban-setup) + - [Logging Failed Login Attempts to Syslog](#logging-failed-login-attempts-to-syslog) + - [Fail2Ban Filter](#fail2ban-filter) + - [Fail2Ban Jail](#fail2ban-jail) + - [Testing Fail2Ban](#testing-fail2ban) - [Building your own image](#building-your-own-image) - [Building binary](#building-binary) - [Available packages](#available-packages) @@ -421,7 +425,7 @@ Though this is unlikely to be required in small deployment, you can fine-tune so Bitwarden_rs logs failed login attempts to stdout. We need to set this so the host OS can see these. Then we can setup Fail2Ban. -#### Logging failed login attempts to syslog +#### Logging Failed Login Attempts to Syslog We need to set the logging driver to syslog so the host OS and Fail2Ban can see them. Add the following to your docker-compose file: ``` @@ -454,7 +458,7 @@ ignoreregex = ``` Dont forget to change the '$TAG' to what you set it as from above. -#### Fail2ban Jail +#### Fail2Ban Jail Now we need the jail, create the jail file ```