Reworked the installation section to integrate nicely the Synology section

2020-03-24 12:51:55 +01:00 · 2020-03-24 12:51:55 +01:00 · 36b81b70ae
parent 21549b3244
commit 36b81b70ae
1 changed files with 83 additions and 89 deletions
--- a/Fail2Ban-Setup.md
+++ b/Fail2Ban-Setup.md
@ -1,26 +1,95 @@
-As of release 1.5.0, bitwarden_rs supports logging to file. See [[Logging|logging]] for information on how to set this up.
+Setup Fail2ban will prevent attackers to brute force your vault logins. This is particularly important if your instance is publicaly available.
-## Logging Failed Login Attempts
+## Pre-requisite
-After specifying the log file location, failed login attempts will appear in the logs in the following format:
+- From Release 1.5.0, Bitwarden_rs supports logging to file. Please set this up : [[Logging|logging]]
 - Try to log with a false account and check the log files for folowing format
 ````
 	[YYYY-MM-DD hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com.
 ````
 ## Installation
 ### Debian / Ubuntu / Raspian
 ```
-[YYYY-MM-DD hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com.
+	sudo apt-get install fail2ban -y
 ```
-Install Fail2Ban (under Debian/Rasbian)
+### Fedora / Centos
 EPEL repository is necessary (CentOS 7)  
 ```
-sudo apt-get install fail2ban -y
+	sudo yum install epel-release
 	sudo yum install fail2ban -y
 ```
-Under Fedora/CentOS
+### Synology DSM
 With Synology, a bit more work is needed for various reasons. The main issues are:
-EPEL repository necessary (CentOS 7)
+1. The embeded IP ban system does not work for Docker's containers
-```
+2. The iptables embeded do no support the `REJECT` blocktype
-sudo yum install epel-release
+3. The Docker GUI does not allow some advanced settings
-```
+4. Modifying system configuration is not upgrade-proof
 Therefore, we will use Fail2ban in a docker container. [crazy-max/docker-fail2ban](https://github.com/crazy-max/docker-fail2ban) provides a good solution and the Synology's docker GUI will be ignored. From command line through SSH, here the steps. As convention `volumeX` is to be adapted to your Synology's config.
 0. Get root
 ````
 	sudo -i
 ````
 1. Creating persistent folders
 ````
 	mkdir -p /volumeX/docker/fail2ban/action.d/
 	mkdir -p /volumeX/docker/fail2ban/jail.d/
 	mkdir -p /volumeX/docker/fail2ban/filter.d/
 ````
 2. Replace `REJECT` by `DROP` blocktype
 ````
 	vim /volumeX/docker/fail2ban/action.d/iptables-common.local
 	Copy and paste the following content  
 	[Init]
 	blocktype = DROP
 	[Init?family=inet6]
 	blocktype = DROP
 ````
 3. Create docker-compose file
 ````
 	vim /volumeX/docker/fail2ban/docker-compose.yml
 	Copy and paste the following content
 	version: '3'
 	services:
 	  fail2ban:
 		container_name: fail2ban
 		restart: always
 		image: crazymax/fail2ban:latest
 		environment: 
 		- TZ=Europe/Paris
 		- F2B_DB_PURGE_AGE=30d
 		- F2B_LOG_TARGET=/data/fail2ban.log
 		- F2B_LOG_LEVEL=INFO
 		- F2B_IPTABLES_CHAIN=INPUT
 		volumes:
 		- /volumeX/docker/fail2ban:/data
 		- /volumeX/docker/bw-data:/bitwarden:ro
 		network_mode: "host"
 		privileged: true
 		cap_add:
 			- NET_ADMIN
 			- NET_RAW
 ````
 4. Start the container using command line
 ````
 	cd /volumeX/docker/fail2ban
 	docker-compose up -d
 ````
 You should see the container running in Synolog's Docker GUI. You will have to reload after configuring the filters and jails
 ```
 sudo yum install fail2ban -y
 ```
 ## Fail2Ban Filter
 Create the filter file
@ -122,78 +191,3 @@ type=AVC msg=audit(1571777936.719:2193): avc:  denied  { search } for  pid=5853
 ```   
 To actually find out the reason you can use `grep 'type=AVC msg=audit(1571777936.719:2193)' /var/log/audit/audit.log | audit2why`. `audit2allow -a` will give you specific instructions on how to create a module and allow fail2ban to access these logs. Follow these steps and you're done! fail2ban should now work correctly.
 ## Setup on Synology
 Synology, due to DSM system need a bit more work. The main constrains are:
 1. The embeded IP ban system does not work on Docker's containers
 2. The iptables embeded do no support the `REJECT` instruction
 3. The Docker GUI does not allow some advanced settings
 I choosed to rely on [crazy-max/docker-fail2ban](https://github.com/crazy-max/docker-fail2ban). Please adapt the following to your context
 `mkdir /volumeX/docker/fail2ban`  
 `touch /volumeX/docker/fail2ban/action.d/iptables-common.local`  
 Copy and paste the following content - this replace `REJECT` by `DROP`  
 ````
 [Init]
 blocktype = DROP
 [Init?family=inet6]
 blocktype = DROP
 ````
 `touch /volumeX/docker/fail2ban/filter.d/bitwarden.conf`  
 Copy and paste the following content
 ````
 [INCLUDES]
 before = common.conf
 [Definition]
 failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
 ignoreregex =
 ````
 `touch /volumeX/docker/fail2ban/jail.d/bitwarden.conf`  
 Copy and paste the following content
 ````
 [DEFAULT]
 ignoreip = 127.0.0.1/8 192.168.0.0/22
 bantime = 6400
 findtime = 86400
 maxretry = 4
 backend = auto
 action = iptables-allports[name=bitwarden]
 [bitwarden]
 enabled = true
 port = 80,81,443,8081
 filter = bitwarden
 logpath = /bitwarden/bitwarden.log
 ````
 `touch /volumeX/docker/fail2ban/docker-compose.yml`  
 Copy and paste the following content
 ````
 version: '3'
 services:
  fail2ban:
    container_name: fail2ban
    restart: always
    image: crazymax/fail2ban:latest
    environment: 
    - TZ=Europe/Paris
    - F2B_DB_PURGE_AGE=30d
    - F2B_LOG_TARGET=/data/fail2ban.log
    - F2B_LOG_LEVEL=DEBUG
    - F2B_IPTABLES_CHAIN=INPUT
    volumes:
    - /volumeX/docker/fail2ban:/data
    - /volumeX/docker/bw-data:/bitwarden:ro
    network_mode: "host"
    privileged: true
    cap_add:
        - NET_ADMIN
        - NET_RAW
 ````
 Run the container using `docker-compose up -d`  
 You now have to test the jail