Skip to content
Snippets Groups Projects
Unverified Commit b56a9053 authored by itr6's avatar itr6 Committed by GitHub
Browse files

Update README.md

parent 0f6ab01f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 63 additions and 0 deletions
README.md
+ 63
0
View file @ b56a9053
...@@ -416,6 +416,69 @@ Note that you can also change the path where bitwarden_rs looks for static files ...@@ -416,6 +416,69 @@ Note that you can also change the path where bitwarden_rs looks for static files
Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables). Though this is unlikely to be required in small deployment, you can fine-tune some other settings like number of workers using environment variables that are processed by [Rocket](https://rocket.rs), please see details in [documentation](https://rocket.rs/guide/configuration/#environment-variables).
### Fail2Ban Setup
Bitwarden_rs logs failed login attempts to stdout. We need to set this so the host OS can see these. Then we can setup Fail2Ban.
#### Logging failed login attempts to syslog
We need to set the logging driver to syslog so the host OS and Fail2Ban can see them. Add the following to your docker-compose file:
```
bitwarden:
logging:
driver: "syslog"
options:
tag: "$TAG"
```
With the above settings in the docker-compose file. Any failed login attempts will look like this in your syslog file:
`$DATE $TIME $SERVER $TAG[979]: ERROR: Username or password is incorrect. Try again. IP: XX.XX.XX.XX. Username: email@domain.com.`
You can change the '$TAG' to anything you like. Just remember it because it will be in the Fail2Ban filter.
#### Fail2Ban Filter
Create the filter file
```
sudo nano /etc/fail2ban/filter.d/bitwarden.conf
```
And add the following
```
[INCLUDES]
before = common.conf
[Definition]
failregex = ^%(__prefix_line)s.*$TAG.* ERROR: Username or password is incorrect. Try again. IP: <HOST>\. Username:.*$
ignoreregex =
```
Dont forget to change the '$TAG' to what you set it as from above.
#### Fail2ban Jail
Now we need the jail, create the jail file
```
sudo nano /etc/fail2ban/jail.d/bitwarden.local
```
and add:
```
[bitwarden]
enabled = true
port = 80,443,8081
filter = bitwarden
action = iptables-allports[name=bitwarden]
logpath = /var/log/syslog
maxretry = 3
bantime = 14400
findtime = 14400
```
Feel free to change the options as you see fit.
#### Testing Fail2Ban
Now just try to login to bitwarden using any email (it doesnt have to be a valid email, just an email format)
If it works correctly and your IP is banned, you can unban the ip by running:
```
sudo fail2ban-client unban XX.XX.XX.XX bitwarden
```
## Building your own image ## Building your own image
Clone the repository, then from the root of the repository run: Clone the repository, then from the root of the repository run:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment