Reworked the installation section to integrate nicely the Synology section
parent
21549b3244
commit
36b81b70ae
|
@ -1,26 +1,95 @@
|
|||
As of release 1.5.0, bitwarden_rs supports logging to file. See [[Logging|logging]] for information on how to set this up.
|
||||
Setup Fail2ban will prevent attackers to brute force your vault logins. This is particularly important if your instance is publicaly available.
|
||||
|
||||
## Logging Failed Login Attempts
|
||||
## Pre-requisite
|
||||
|
||||
After specifying the log file location, failed login attempts will appear in the logs in the following format:
|
||||
|
||||
```
|
||||
- From Release 1.5.0, Bitwarden_rs supports logging to file. Please set this up : [[Logging|logging]]
|
||||
- Try to log with a false account and check the log files for folowing format
|
||||
````
|
||||
[YYYY-MM-DD hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com.
|
||||
```
|
||||
Install Fail2Ban (under Debian/Rasbian)
|
||||
````
|
||||
|
||||
## Installation
|
||||
### Debian / Ubuntu / Raspian
|
||||
```
|
||||
sudo apt-get install fail2ban -y
|
||||
```
|
||||
Under Fedora/CentOS
|
||||
|
||||
EPEL repository necessary (CentOS 7)
|
||||
### Fedora / Centos
|
||||
EPEL repository is necessary (CentOS 7)
|
||||
```
|
||||
sudo yum install epel-release
|
||||
```
|
||||
|
||||
```
|
||||
sudo yum install fail2ban -y
|
||||
```
|
||||
### Synology DSM
|
||||
With Synology, a bit more work is needed for various reasons. The main issues are:
|
||||
|
||||
1. The embeded IP ban system does not work for Docker's containers
|
||||
2. The iptables embeded do no support the `REJECT` blocktype
|
||||
3. The Docker GUI does not allow some advanced settings
|
||||
4. Modifying system configuration is not upgrade-proof
|
||||
|
||||
Therefore, we will use Fail2ban in a docker container. [crazy-max/docker-fail2ban](https://github.com/crazy-max/docker-fail2ban) provides a good solution and the Synology's docker GUI will be ignored. From command line through SSH, here the steps. As convention `volumeX` is to be adapted to your Synology's config.
|
||||
|
||||
0. Get root
|
||||
````
|
||||
sudo -i
|
||||
````
|
||||
|
||||
1. Creating persistent folders
|
||||
|
||||
````
|
||||
mkdir -p /volumeX/docker/fail2ban/action.d/
|
||||
mkdir -p /volumeX/docker/fail2ban/jail.d/
|
||||
mkdir -p /volumeX/docker/fail2ban/filter.d/
|
||||
````
|
||||
|
||||
2. Replace `REJECT` by `DROP` blocktype
|
||||
````
|
||||
vim /volumeX/docker/fail2ban/action.d/iptables-common.local
|
||||
|
||||
Copy and paste the following content
|
||||
|
||||
[Init]
|
||||
blocktype = DROP
|
||||
[Init?family=inet6]
|
||||
blocktype = DROP
|
||||
````
|
||||
3. Create docker-compose file
|
||||
````
|
||||
vim /volumeX/docker/fail2ban/docker-compose.yml
|
||||
|
||||
Copy and paste the following content
|
||||
|
||||
version: '3'
|
||||
services:
|
||||
fail2ban:
|
||||
container_name: fail2ban
|
||||
restart: always
|
||||
image: crazymax/fail2ban:latest
|
||||
environment:
|
||||
- TZ=Europe/Paris
|
||||
- F2B_DB_PURGE_AGE=30d
|
||||
- F2B_LOG_TARGET=/data/fail2ban.log
|
||||
- F2B_LOG_LEVEL=INFO
|
||||
- F2B_IPTABLES_CHAIN=INPUT
|
||||
|
||||
volumes:
|
||||
- /volumeX/docker/fail2ban:/data
|
||||
- /volumeX/docker/bw-data:/bitwarden:ro
|
||||
|
||||
network_mode: "host"
|
||||
|
||||
privileged: true
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
````
|
||||
4. Start the container using command line
|
||||
````
|
||||
cd /volumeX/docker/fail2ban
|
||||
docker-compose up -d
|
||||
````
|
||||
You should see the container running in Synolog's Docker GUI. You will have to reload after configuring the filters and jails
|
||||
|
||||
## Fail2Ban Filter
|
||||
|
||||
Create the filter file
|
||||
|
@ -122,78 +191,3 @@ type=AVC msg=audit(1571777936.719:2193): avc: denied { search } for pid=5853
|
|||
```
|
||||
To actually find out the reason you can use `grep 'type=AVC msg=audit(1571777936.719:2193)' /var/log/audit/audit.log | audit2why`. `audit2allow -a` will give you specific instructions on how to create a module and allow fail2ban to access these logs. Follow these steps and you're done! fail2ban should now work correctly.
|
||||
|
||||
## Setup on Synology
|
||||
Synology, due to DSM system need a bit more work. The main constrains are:
|
||||
|
||||
1. The embeded IP ban system does not work on Docker's containers
|
||||
2. The iptables embeded do no support the `REJECT` instruction
|
||||
3. The Docker GUI does not allow some advanced settings
|
||||
|
||||
I choosed to rely on [crazy-max/docker-fail2ban](https://github.com/crazy-max/docker-fail2ban). Please adapt the following to your context
|
||||
|
||||
`mkdir /volumeX/docker/fail2ban`
|
||||
`touch /volumeX/docker/fail2ban/action.d/iptables-common.local`
|
||||
Copy and paste the following content - this replace `REJECT` by `DROP`
|
||||
````
|
||||
[Init]
|
||||
blocktype = DROP
|
||||
[Init?family=inet6]
|
||||
blocktype = DROP
|
||||
````
|
||||
`touch /volumeX/docker/fail2ban/filter.d/bitwarden.conf`
|
||||
Copy and paste the following content
|
||||
````
|
||||
[INCLUDES]
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
|
||||
ignoreregex =
|
||||
````
|
||||
`touch /volumeX/docker/fail2ban/jail.d/bitwarden.conf`
|
||||
Copy and paste the following content
|
||||
````
|
||||
[DEFAULT]
|
||||
ignoreip = 127.0.0.1/8 192.168.0.0/22
|
||||
bantime = 6400
|
||||
findtime = 86400
|
||||
maxretry = 4
|
||||
backend = auto
|
||||
action = iptables-allports[name=bitwarden]
|
||||
|
||||
[bitwarden]
|
||||
enabled = true
|
||||
port = 80,81,443,8081
|
||||
filter = bitwarden
|
||||
logpath = /bitwarden/bitwarden.log
|
||||
````
|
||||
`touch /volumeX/docker/fail2ban/docker-compose.yml`
|
||||
Copy and paste the following content
|
||||
````
|
||||
version: '3'
|
||||
services:
|
||||
fail2ban:
|
||||
container_name: fail2ban
|
||||
restart: always
|
||||
image: crazymax/fail2ban:latest
|
||||
environment:
|
||||
- TZ=Europe/Paris
|
||||
- F2B_DB_PURGE_AGE=30d
|
||||
- F2B_LOG_TARGET=/data/fail2ban.log
|
||||
- F2B_LOG_LEVEL=DEBUG
|
||||
- F2B_IPTABLES_CHAIN=INPUT
|
||||
|
||||
volumes:
|
||||
- /volumeX/docker/fail2ban:/data
|
||||
- /volumeX/docker/bw-data:/bitwarden:ro
|
||||
|
||||
network_mode: "host"
|
||||
|
||||
privileged: true
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
````
|
||||
Run the container using `docker-compose up -d`
|
||||
You now have to test the jail
|
||||
|
||||
|
|
Loading…
Reference in New Issue