Hi
I’ve installed Vaultwarden and Fail2ban.
Working OK. But I don’t understand how to add ports 80/443 (vaultwarden) to fail2ban.
On the dietpi software page in vaultwarden it says:
“You can enable/disable these features by modifying the /etc/fail2ban/jail.conf file, and setting enable = true under the [software] name.”
There is no [software] in this file…
How can I add those checks? Help appreciated as I have searched in vain…
Upon restarting the service I get the following error (systemctl status fail2ban.service):
Dec 02 22:12:19 Vaultwarden systemd[1]: Starting Fail2Ban Service...
Dec 02 22:12:19 Vaultwarden systemd[1]: Started Fail2Ban Service.
Dec 02 22:12:19 Vaultwarden fail2ban-server[12319]: Server ready
Dec 02 22:27:51 Vaultwarden systemd[1]: Reloading Fail2Ban Service.
Dec 02 22:27:51 Vaultwarden fail2ban-client[12783]: 2022-12-02 22:27:51,660 fail2ban [12783]: ERROR Failed during configuration: Bad value substitution: option 'action' in section 'vaultwarden' contains an interpolation key 'banaction_allports' which is not a valid option name. Raw value: '%(banaction)s[blocktype=blackhole]'
Dec 02 22:27:51 Vaultwarden systemd[1]: fail2ban.service: Control process exited, code=exited, status=255/EXCEPTION
Dec 02 22:27:51 Vaultwarden systemd[1]: Reload failed for Fail2Ban Service.
there is no log file for vaultwarden which could be read by fail2ban, it’s logged via journalctl, so this has to be changed first. Otherwise there is no file which you could filter with your regex rule
you need to create a file /etc/fail2ban/filter.d/vaultwarden.conf with the content
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. .*$
ignoreregex =
The lines with the ? are unclear to me, since the tutorial you used are for usage with docker. ALso there is no path for the vaultwarden.log file.
There is tutorial in the wiki how to log to a file, but again only for docker. IDK what this means:
I found a solution, I edited the service file with dietpi-services and added in the [Service] section the line: StandardOutput=file:/mnt/dietpi_userdata/vaultwarden/vaultwarden.log.
The log gets now written to this file, which fail2ban can read.
I also tested a bit with action= and banaction= and now it is working and catching my failed attempts, with this config:
/etc/fail2ban/filter.d/vaultwarden.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. .*$
ignoreregex =
/etc/fail2ban/jail.conf
[DEFAULT]
enabled = true
ignoreip = 127.0.0.1/8
ignorecommand =
backend = systemd
mode = normal
filter = %(__name__)s[mode=%(mode)s]
findtime = 600
maxretry = 3
bantime = 600
banaction = route
action = %(banaction)s[blocktype=blackhole]
[dropbear]
[sshd]
# Mode: normal (default), ddos, extra or aggressive (combines all)
# See "filter.d/sshd.conf" for details.
#mode = normal
[vaultwarden]
enable=true
port =80,443,8001
filter = vaultwarden
banaction = route
action = %(banaction)s[blocktype=blackhole]
logpath = /mnt/dietpi_userdata/vaultwarden/vaultwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
mode=normal
backend=auto
EDIT:
okay if you do it with this action and banaction, every connection gets banned. My SSH connection to my TestPi dropped after the 3rd failed attempt
Luckily I can SSH into it from another device and unban myself
So maybe there is some need for improvement for the actions, but it’s working.
Did you set correct log path in your jail?
Also idk if the file ending is important, I named everything .conf like every other file in these folders. I have no .local files at all on dietpi.
I also did not create a file in /jail.d, I just added some lines in my jail.conf. you can comprehend it from my post above, I posted the file paths and the content.
You can also check with fail2ban-client status if you jail is active.
Yes, I did insert the correct log path for the existing log, in/which has all the correct messages there.
I did create the jail.d/vaultwarden.conf and the /filter.d/vaultwarden.conf
Reloading the service errors:
[3109]: ERROR Failed during configuration: Bad value substitution: option ‘action’ in section ‘vaultwarden’ contains an interpolation key ‘banaction_allports’ which is not a valid option name. Raw value: ‘%(banaction)s[blocktype=blackhole]’
It’s this line: banaction = %(banaction_allports)s
replaced with your:
banaction = route
action = %(banaction)s[blocktype=blackhole]
Also doesn’t work. Repeated password tests at vailtwarden https and no block
What happens is that Vaultwarden itself blocks after 10 attempts.
[2022-12-03 13:05:11.637][vaultwarden::ratelimit][ERROR] Too many login requests
[2022-12-03 13:05:11.637][response][INFO] (login) POST /identity/connect/token => 429 Too Many Requests
[2022-12-03 13:05:13.000][request][INFO] POST /api/accounts/prelogin
[2022-12-03 13:05:13.000][response][INFO] (prelogin) POST /api/accounts/prelogin => 200 OK
So if the jail is active (fail2ban-client status vaultwarden) but it catches no failed attempts I would say it can’t read the log or the regex is wrong.
I have changed the log to the location you tested. It’s not the problem of the log location…
regex is: failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
Error message in log:
[2022-12-03 16:58:02.040][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: xx.xx.xx.xx. Username: xxxxxxx@icloud.com.
[2022-12-03 16:58:02.040][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
└─# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-12-03 16:55:55 WET; 2min 26s ago
Docs: man:fail2ban(1)
Process: 348 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 350 (fail2ban-server)
Tasks: 9 (limit: 2372)
Memory: 22.5M
CPU: 324ms
CGroup: /system.slice/fail2ban.service
└─350 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Dec 03 16:55:55 Vaultwarden systemd[1]: Starting Fail2Ban Service...
Dec 03 16:55:55 Vaultwarden systemd[1]: Started Fail2Ban Service.
Dec 03 16:55:55 Vaultwarden fail2ban-server[350]: Server ready
└─# fail2ban-client status vaultwarden
Status for the jail: vaultwarden
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches:
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
I still don’t know what’s wrong at your site, but I started with a fresh installation and got it working again. But I had problems with the log so I did it a bit different this time (I did not set log to file in the systemd unit, I set it in the .env file)
Here is what I did:
In /mnt/dietpi_userdata/vaultwarden/vaultwarden.env I set:
Without USE_SYSLOG=true it did not logged my failed attempts.
I think it’s not important how the log is created, bc yesterday it worked via the systemd way on my system.
Then I changed again the service file with dietpi-services. But this time I only corrected one line, because I got the log working via the .env file:
ReadWritePaths=/mnt/dietpi_userdata/vaultwarden
(I removed the - before the /mnt)
Maybe I already did this yesterday, I can’t tell, it was late and I was tired
We’re getting somewhere!
I did as you indicated, set the .enc file, modified service.
But I left the file in /jail.d as I don’t want to modify the /etc/fail2ban/jail.conf directly as an update can overwrite it.
When I now tried to login to Vaultwarden with wrong password and then checked via Status for the jail: vaultwarden I got:
Status for the jail: vaultwarden
|- Filter
| |- Currently failed: 1
| |- Total failed: 5
| `- Journal matches:
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: xx.xx.xx.xx
So something started happening! But the IP is wrong, it should be the IP trying to access but it’s my own WAN IP.
Any idea on how to correct this? I’ve read something in the tutorials but can’t find it.
Turns out the - is for failover, so the service can start even when this folder does not exist. I have could checked other service files to realize this is intentional, but I did not.
So this makes it even more mysterious why it was not working in the first place.
I also observed that it was sometimes necessary to restart both services to function properly.