I found a solution, I edited the service file with dietpi-services
and added in the [Service]
section the line:
StandardOutput=file:/mnt/dietpi_userdata/vaultwarden/vaultwarden.log
.
The log gets now written to this file, which fail2ban can read.
I also tested a bit with action=
and banaction=
and now it is working and catching my failed attempts, with this config:
/etc/fail2ban/filter.d/vaultwarden.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. .*$
ignoreregex =
/etc/fail2ban/jail.conf
[DEFAULT]
enabled = true
ignoreip = 127.0.0.1/8
ignorecommand =
backend = systemd
mode = normal
filter = %(__name__)s[mode=%(mode)s]
findtime = 600
maxretry = 3
bantime = 600
banaction = route
action = %(banaction)s[blocktype=blackhole]
[dropbear]
[sshd]
# Mode: normal (default), ddos, extra or aggressive (combines all)
# See "filter.d/sshd.conf" for details.
#mode = normal
[vaultwarden]
enable=true
port =80,443,8001
filter = vaultwarden
banaction = route
action = %(banaction)s[blocktype=blackhole]
logpath = /mnt/dietpi_userdata/vaultwarden/vaultwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
mode=normal
backend=auto
EDIT:
okay if you do it with this action and banaction, every connection gets banned. My SSH connection to my TestPi dropped after the 3rd failed attempt
Luckily I can SSH into it from another device and unban myself
So maybe there is some need for improvement for the actions, but it’s working.