Finished rework to aggregate the pre-req, the install directives and the setting ones

sosandroid 2020-03-24 14:33:30 +01:00
parent 36b81b70ae
commit 2c4b1d4d50
1 changed files with 84 additions and 68 deletions

@ -2,8 +2,9 @@ Setup Fail2ban will prevent attackers to brute force your vault logins. This is
## Pre-requisite
- Commands are using `vi`. The basics can be found [there](https://pc.net/resources/commands/vi). However, you can use whatever text editor you want.
- From Release 1.5.0, Bitwarden_rs supports logging to file. Please set this up : [[Logging|logging]]
- Try to log with a false account and check the log files for folowing format
- Try to log to web vault with a false account and check the log files for folowing format
````
[YYYY-MM-DD hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com.
````
@ -44,7 +45,7 @@ Therefore, we will use Fail2ban in a docker container. [crazy-max/docker-fail2ba
2. Replace `REJECT` by `DROP` blocktype
````
vim /volumeX/docker/fail2ban/action.d/iptables-common.local
vi /volumeX/docker/fail2ban/action.d/iptables-common.local
Copy and paste the following content
@ -55,7 +56,7 @@ Therefore, we will use Fail2ban in a docker container. [crazy-max/docker-fail2ba
````
3. Create docker-compose file
````
vim /volumeX/docker/fail2ban/docker-compose.yml
vi /volumeX/docker/fail2ban/docker-compose.yml
Copy and paste the following content
@ -90,36 +91,38 @@ Therefore, we will use Fail2ban in a docker container. [crazy-max/docker-fail2ba
````
You should see the container running in Synolog's Docker GUI. You will have to reload after configuring the filters and jails
## Fail2Ban Filter
## Setup for web vault
As a convention, `path_f2b` means the path needed for Fail2ban to work. This depends on your system. E.g. on Synology, we are atlking about `/volumeX/docker/fail2ban/` where on some other systems we are talking about `/etc/fail2ban/`
### Filter
Create and fill the following file
````
vi path_f2b/filter.d/bitwarden.local
Copy and paste the following content
Create the filter file
```
sudo nano /etc/fail2ban/filter.d/bitwarden.conf
```
And add the following
```
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
```
````
If you get the following error message `in fail2ban.log` (CentOS 7, Fail2Ban v0.9.7)
Use ```<HOST>``` instead of ```<ADDR>``` if you get the following error message in fail2ban.log
(CentOS 7, Fail2Ban v0.9.7):
```
fail2ban.filter [5291]: ERROR No 'host' group in '^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'
```
`fail2ban.filter [5291]: ERROR No 'host' group in '^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'`
Please Use `<HOST>` instead of `<ADDR>` in ``bitwarden.local`
## Fail2Ban Jail
### Jail
Create and fill the following file
````
vi path_f2b/jail.d/bitwarden.local
Copy and paste the following content
Now we need the jail, create the jail file
```
sudo nano /etc/fail2ban/jail.d/bitwarden.local
```
and add:
```
[bitwarden]
enabled = true
port = 80,443,8081
@ -129,9 +132,8 @@ logpath = /path/to/bitwarden/log
maxretry = 3
bantime = 14400
findtime = 14400
```
````
Note: Docker uses the FORWARD chain instead of the default INPUT chain. Therefore use the following action when using Docker:
```
action = iptables-allports[name=bitwarden, chain=FORWARD]
```
@ -143,6 +145,46 @@ Thats at least not true for running on Docker (CentOS 7) with caddy as reverse p
Feel free to change the options as you see fit.
## Setup for admin page
If you've enabled the admin console by setting the `ADMIN_TOKEN` environment variable, you can prevent an attacker brute-forcing the admin token using Fail2Ban. The process is the same as for the web vault.
### Filter
Create and fill the following file
````
vi path_f2b/filter.d/bitwarden-admin.local
Copy and paste the following content
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =
````
### Jail
Create and fill the following file
````
vi path_f2b/jail.d/bitwarden-admin.local
Copy and paste the following content
[bitwarden-admin]
enabled = true
port = 80,443
filter = bitwarden-admin
action = iptables-allports[name=bitwarden]
logpath = /path/to/bitwarden.log
maxretry = 3
bantime = 14400
findt
````
Note: Docker uses the FORWARD chain instead of the default INPUT chain. Therefore use the following action when using Docker:
```
action = iptables-allports[name=bitwarden, chain=FORWARD]
```
## Testing Fail2Ban
Now just try to login to bitwarden using any email (it doesnt have to be a valid email, just an email format)
@ -156,32 +198,6 @@ Also verify that the timezone of the docker container matches the timezone of th
If you are using podman instead of docker it seems that setting the timezone via ```-e "TZ=<timezone>"``` does not work. This can be solved (when using the alpine image) by following this guide: [https://wiki.alpinelinux.org/wiki/Setting_the_timezone](https://wiki.alpinelinux.org/wiki/Setting_the_timezone).
## Setting Up Fail2Ban for the Admin Page
If you've enabled the admin console by setting the `ADMIN_TOKEN` environment variable, you can prevent an attacker brute-forcing the admin token using Fail2Ban. Following the same process as for the web vault, create the following filter in `/etc/fail2ban/filter.d/bitwarden-admin.conf`:
```
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =
```
Then create the following jail configuration in `/etc/fail2ban/jail.d/bitwarden-admin.local` (note that this example uses the `action` directive for the Docker image--modify it if you're using the binary build):
```
[bitwarden-admin]
enabled = true
port = 80,443
filter = bitwarden-admin
action = iptables-allports[name=bitwarden, chain=FORWARD]
logpath = /path/to/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
```
## SELinux Problems
When you are using SELinux it is possible that SELinux hinders fail2ban to read the logs. If so, follow these steps: