[SOLVED] Jail2ban-vaultwarden

manilx · December 2, 2022, 10:16pm

Hi
I’ve installed Vaultwarden and Fail2ban.
Working OK. But I don’t understand how to add ports 80/443 (vaultwarden) to fail2ban.
On the dietpi software page in vaultwarden it says:
“You can enable/disable these features by modifying the /etc/fail2ban/jail.conf file, and setting enable = true under the [software] name.”
There is no [software] in this file…

How can I add those checks? Help appreciated as I have searched in vain…

manilx · December 2, 2022, 10:35pm

I have tried to follow Fail2Ban Setup - dani-garcia/vaultwarden GitHub Wiki
Created the filter.d/vaultwarden.local and jail.d/vaultwarden.local files.

Upon restarting the service I get the following error (systemctl status fail2ban.service):

Dec 02 22:12:19 Vaultwarden systemd[1]: Starting Fail2Ban Service...
Dec 02 22:12:19 Vaultwarden systemd[1]: Started Fail2Ban Service.
Dec 02 22:12:19 Vaultwarden fail2ban-server[12319]: Server ready
Dec 02 22:27:51 Vaultwarden systemd[1]: Reloading Fail2Ban Service.
Dec 02 22:27:51 Vaultwarden fail2ban-client[12783]: 2022-12-02 22:27:51,660 fail2ban                [12783]: ERROR   Failed during configuration: Bad value substitution: option 'action' in section 'vaultwarden' contains an interpolation key 'banaction_allports' which is not a valid option name. Raw value: '%(banaction)s[blocktype=blackhole]'
Dec 02 22:27:51 Vaultwarden systemd[1]: fail2ban.service: Control process exited, code=exited, status=255/EXCEPTION
Dec 02 22:27:51 Vaultwarden systemd[1]: Reload failed for Fail2Ban Service.

Jappe · December 3, 2022, 12:16am

Can you share sudo journalctl -u fail2ban?

Edit:

Ok I tried some stuff and found some problems.

1. there is no log file for vaultwarden which could be read by fail2ban, it’s logged via journalctl, so this has to be changed first. Otherwise there is no file which you could filter with your regex rule
1. you need to create a file /etc/fail2ban/filter.d/vaultwarden.conf with the content

[INCLUDES]
before = common.conf

[Definition]
failregex =  ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. .*$
ignoreregex =

1. you need to add to jail.conf:

[vaultwarden]
enable=true
port = 8001
filter = vaultwarden
banaction = ?
action = ?
logpath = ?
maxretry = 3
bantime = 14400
findtime = 14400
mode = normal
backend = auto

The lines with the ? are unclear to me, since the tutorial you used are for usage with docker. ALso there is no path for the vaultwarden.log file.
There is tutorial in the wiki how to log to a file, but again only for docker. IDK what this means:

docker run -d --name vaultwarden \
...
  -e LOG_FILE=/data/vaultwarden.log \
...

https://github.com/dani-garcia/vaultwarden/wiki/Logging

If you can solve this problems, fail2ban should be workin with vaultwarden.

Jappe · December 3, 2022, 12:27am

I found out how to enable logging.
There is a file /mnt/dietpi_userdata/vaultwarden/vaultwarden.env where you can set a log file:

## Logging to file
# LOG_FILE=/path/to/log

I set it to /opt/vaultwarden/vaultwarden.log and also set this in the jail.conf.
But vaultwarden is not logging into this file. I give up for today

Jappe · December 3, 2022, 2:10am

I found a solution, I edited the service file with dietpi-services and added in the [Service] section the line:
StandardOutput=file:/mnt/dietpi_userdata/vaultwarden/vaultwarden.log.
The log gets now written to this file, which fail2ban can read.

I also tested a bit with action= and banaction= and now it is working and catching my failed attempts, with this config:

/etc/fail2ban/filter.d/vaultwarden.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. .*$
ignoreregex =

/etc/fail2ban/jail.conf

[DEFAULT]
enabled = true
ignoreip = 127.0.0.1/8
ignorecommand =
backend = systemd
mode = normal
filter = %(__name__)s[mode=%(mode)s]
findtime = 600
maxretry = 3
bantime = 600
banaction = route
action = %(banaction)s[blocktype=blackhole]

[dropbear]

[sshd]
# Mode: normal (default), ddos, extra or aggressive (combines all)
# See "filter.d/sshd.conf" for details.
#mode = normal

[vaultwarden]
enable=true
port =80,443,8001
filter = vaultwarden
banaction = route
action = %(banaction)s[blocktype=blackhole]
logpath = /mnt/dietpi_userdata/vaultwarden/vaultwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
mode=normal
backend=auto

EDIT:

okay if you do it with this action and banaction, every connection gets banned. My SSH connection to my TestPi dropped after the 3rd failed attempt
Luckily I can SSH into it from another device and unban myself
So maybe there is some need for improvement for the actions, but it’s working.

manilx · December 3, 2022, 7:35am

Appreciate your effort!!

I edited the service as per your suggestion and it’s creating a log file in /var/log OK.

Changed the lines in /etc/fail2ban/jail.d/vaultwarden.local to include

` ```
banaction = route
action = %(banaction)s[blocktype=blackhole]

The failed login attempts get logged in /var/log/vaultwarden.log (log I specified in services) but jail2ban doesn’t jail…

Giving up

Jappe · December 3, 2022, 12:11pm

Did you set correct log path in your jail?
Also idk if the file ending is important, I named everything .conf like every other file in these folders. I have no .local files at all on dietpi.
I also did not create a file in /jail.d, I just added some lines in my jail.conf. you can comprehend it from my post above, I posted the file paths and the content.

You can also check with fail2ban-client status if you jail is active.

manilx · December 3, 2022, 1:08pm

Yes, I did insert the correct log path for the existing log, in/which has all the correct messages there.
I did create the jail.d/vaultwarden.conf and the /filter.d/vaultwarden.conf
Reloading the service errors:

[3109]: ERROR Failed during configuration: Bad value substitution: option ‘action’ in section ‘vaultwarden’ contains an interpolation key ‘banaction_allports’ which is not a valid option name. Raw value: ‘%(banaction)s[blocktype=blackhole]’

It’s this line: banaction = %(banaction_allports)s

replaced with your:
banaction = route
action = %(banaction)s[blocktype=blackhole]

Also doesn’t work. Repeated password tests at vailtwarden https and no block
What happens is that Vaultwarden itself blocks after 10 attempts.

[2022-12-03 13:05:11.637][vaultwarden::ratelimit][ERROR] Too many login requests
[2022-12-03 13:05:11.637][response][INFO] (login) POST /identity/connect/token => 429 Too Many Requests
[2022-12-03 13:05:13.000][request][INFO] POST /api/accounts/prelogin
[2022-12-03 13:05:13.000][response][INFO] (prelogin) POST /api/accounts/prelogin => 200 OK

Jappe · December 3, 2022, 2:10pm

Yes, I had also this error, so I changed it to

banaction = route
action = %(banaction)s[blocktype=blackhole]

Hm idk what’s wrong with your config, maybe it can’t read the log from /var/log/?

manilx · December 3, 2022, 2:26pm

Tried this also but didn’t work… No ban

Who knows why it doesn’t work, this is why I shoveled it for the time being. Vaultwarden blocking itself after 10 tries is better than nothing…

Jappe · December 3, 2022, 2:30pm

So if the jail is active (fail2ban-client status vaultwarden) but it catches no failed attempts I would say it can’t read the log or the regex is wrong.

manilx · December 3, 2022, 5:04pm

I have changed the log to the location you tested. It’s not the problem of the log location…

regex is:
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$

Error message in log:
[2022-12-03 16:58:02.040][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: xx.xx.xx.xx. Username: xxxxxxx@icloud.com.
[2022-12-03 16:58:02.040][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

└─# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-12-03 16:55:55 WET; 2min 26s ago
       Docs: man:fail2ban(1)
    Process: 348 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 350 (fail2ban-server)
      Tasks: 9 (limit: 2372)
     Memory: 22.5M
        CPU: 324ms
     CGroup: /system.slice/fail2ban.service
             └─350 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Dec 03 16:55:55 Vaultwarden systemd[1]: Starting Fail2Ban Service...
Dec 03 16:55:55 Vaultwarden systemd[1]: Started Fail2Ban Service.
Dec 03 16:55:55 Vaultwarden fail2ban-server[350]: Server ready

└─# fail2ban-client status vaultwarden
Status for the jail: vaultwarden
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- Journal matches:
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

Jappe · December 4, 2022, 2:00am

I still don’t know what’s wrong at your site, but I started with a fresh installation and got it working again. But I had problems with the log so I did it a bit different this time (I did not set log to file in the systemd unit, I set it in the .env file)

Here is what I did:
In /mnt/dietpi_userdata/vaultwarden/vaultwarden.env I set:

LOG_FILE=/mnt/dietpi_userdata/vaultwarden/vaultwarden.log
USE_SYSLOG=true

Without USE_SYSLOG=true it did not logged my failed attempts.
I think it’s not important how the log is created, bc yesterday it worked via the systemd way on my system.
Then I changed again the service file with dietpi-services. But this time I only corrected one line, because I got the log working via the .env file:

ReadWritePaths=/mnt/dietpi_userdata/vaultwarden

(I removed the - before the /mnt)
Maybe I already did this yesterday, I can’t tell, it was late and I was tired

The files for fail2ban are the same as in my other post Jail2ban-vaultwarden - #5 by Jappe

At the end I did:

sudo systemctl daemon-reload
sudo systemctl restart vaultwarden
sudo systemctl restart fail2ban

After the 3rd failed attempt my SSH connection dropped and I was also unable to reach the web UI.

manilx · December 4, 2022, 11:38am

We’re getting somewhere!
I did as you indicated, set the .enc file, modified service.
But I left the file in /jail.d as I don’t want to modify the /etc/fail2ban/jail.conf directly as an update can overwrite it.
When I now tried to login to Vaultwarden with wrong password and then checked via Status for the jail: vaultwarden I got:

Status for the jail: vaultwarden
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	5
|  `- Journal matches:
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	xx.xx.xx.xx

So something started happening! But the IP is wrong, it should be the IP trying to access but it’s my own WAN IP.
Any idea on how to correct this? I’ve read something in the tutorials but can’t find it.

Joulinar · December 4, 2022, 11:55am

How do you try to access Vaultwarden? Using local IP or a DDNS name?

manilx · December 4, 2022, 11:56am

Via nginx proxy manager from outside&inside.

Same DNS name for both.

Joulinar · December 4, 2022, 12:15pm

In this case it’s ok to show the wan IP as this is the address user to connect to your DDNS. Doesn’t matter if inside or outside your network.

Jappe · December 4, 2022, 2:37pm

Turns out the - is for failover, so the service can start even when this folder does not exist. I have could checked other service files to realize this is intentional, but I did not.
So this makes it even more mysterious why it was not working in the first place.

I also observed that it was sometimes necessary to restart both services to function properly.

manilx · December 4, 2022, 2:46pm

Tried accessing from the outside. Correct IP is banned: BUT I can still login into Vaultwarden after it is banned!

I.e. I enter the password 3 or 4 times wrongly. IP gets banned. I enter the correct password and I can log in!

manilx · December 4, 2022, 2:50pm

It’s now banning BUT I still can login from the banned IP… Go figure