How to install and configure fail2ban with Bitwarden standard Docker install

Ask the Community Password Manager
,
1

Hi

It has taken me a while but I managed to install and configure fail2ban in an Ubuntu 22 VM running the self hosted Bitwarden Docker install from Linux Standard Deployment | Bitwarden Help Center.

Here is a short/concise description of the steps I have taken:

The following change is needed in Bitwarden environment variables after install to create correct log files.

nano ~/bwdata/env/global.override.env

globalSettings__logRollBySizeLimit=1073741824

Now install and configure Fail2ban

install

sudo apt install fail2ban

add jail

nano /etc/fail2ban/jail.conf

Search for the [bitwarden] jail configuration block, delete and replace with (modify last 4 lines as needed)

[bitwarden]
enabled = true
port = 80,443
filter = bitwarden
#action = iptables-allports[name=bitwarden]
action = iptables-allports[name=bitwarden, chain=FORWARD]
logpath = /root/bwdata/logs/identity/Identity/*.txt
maxretry = 5
bantime = 1h
findtime = 10m
ignoreip=127.0.0.1/8 ::1

enable fail2ban service

sudo systemctl enable fail2ban

start fail2ban

sudo systemctl start fail2ban

check if running

sudo systemctl status fail2ban.service

You should get:

ā— fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2023-01-04 19:06:58 UTC; 14h ago
Docs: man:fail2ban(1)
Process: 28657 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 28658 (f2b/server)
Tasks: 7 (limit: 76987)
Memory: 13.4M
CPU: 19.478s
CGroup: /system.slice/fail2ban.service
ā””ā”€28658 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jan 04 19:06:58 BW systemd[1]: Starting Fail2Ban Serviceā€¦
Jan 04 19:06:58 BW systemd[1]: Started Fail2Ban Service.
Jan 04 19:06:58 BW fail2ban-server[28658]: Server ready

check fail2ban ban status

fail2ban-client status bitwarden

If all is OK you should get

Status for the jail: bitwarden
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /root/bwdata/logs/identity/Identity/log.txt - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

To unban:

unban all
fail2ban-client unban ā€”all
unban ip
fail2ban-client unban xx.xx.xx.xx

Useful links:

Thanks Adam from support for helping on this.

Hope it helps others. While Bitwarden as is, is supposed to be safe on its own when exposed to the internet (thereā€™s no way around it when self hosting) it certainly helps to have an additional layer of security.

6 Likes
2

Great guide - thanks so much for sharing that with us!

1 Like
3

Thanks to Manilx for working this through with me! I donā€™t really have very much to add to the above, but need to make a comment so that we can add a ā€˜solvedā€™ tag so that others can find this in the future :rofl:

Just wanted to say that in my test instance, I didnā€™t need to make any changes to the logsizes in global.override, so this should be fine with the default configuration too.

In the [bitwarden] jail block, the given logpath is at

Our standard guide would have that log path at /opt/bitwarden/bwdata/logs/identity/Identity/*.txt, however remember to configure this to wherever you installed Bitwarden (from where you ran the bitwarden.sh install command)

Finally a quick reminder that the systemctl daemon-reload & systemctl restart fail2ban commands can be useful for making changes to the fail2ban service without having to reboot the machine (systemctl(1) - Linux manual page)

Would love to hear about any further customisations that our users find useful!

1 Like
4

I have another useful addition

nano /etc/profile.d/jailstatus.sh

Add:

/usr/bin/fail2ban-client status bitwarden

chmod +x jailstatus.sh

Now each time you login you get the current fail2ban status, so you can see if there are blocks by just logging in.

5

Hello everybody,
does it make sense to use additional an nginx proxy? If yes how to setup?
Thank you
Greetings
M

6

You could. I use a Cloudflare tunnel.

7

Thank you for this guide! Iā€™m still having some difficulty, though.

  1. My distroā€™s latest version of fail2ban (0.10.2-2) doesnā€™t have a bitwarden jail in the jail.conf file - is this something you had to set up yourself? I can create the jail and the filter myself if need be, but Iā€™d love to see the regex you used.

  2. When I look at login failures in Bitwardenā€™s identity log, they donā€™t report the actual origin IP address - I only get the docker network host address, e.g.:

      Failed login attempt. 172.21.0.1

Were there additional changes you needed to make in order to get the actual IP to block?

1 Like
8

Since it took me a while to find, Iā€™ll reshare my findings here:
To get the actual origin IP to show up (not the docker network host), youā€™ll need to add the following to bwdata/config.yml:

real_ips:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16

Then it should work!

Originally found answer from here: Log failed login attempts Ā· Issue #604 Ā· bitwarden/server Ā· GitHub

1 Like
10

I have now added this, but IP addresses like 172.22.0.1 are still blocked by fail2ban even after ./bitwarden.sh rebuild

11

Iā€™m resurrecting an old topicā€¦ but has anyone truly tested this to see if it actually works? What I mean by thatā€¦

I have fail2ban configured and running. It shows it is banning IP addresses after failed login attempts but it actually isnā€™t. Iā€™ve tested this with remote VPN connections. Iā€™ll attempt five logins and check fail2ban. It will show it banned the IP address but I can still access and log in to Bitwarden from that banned IP address.

Iā€™m not sure why the block is not making it over to the firewall rules but it definitely isnā€™t.

Issue #2:

fail2ban does not like constantly changing log files. When the service is started, it looks at the log files currently in the directory. It does not pick up new daily files unless the fail2ban service is restarted.

12

Itā€™s working fine on my Docker Container hosted on my Synology NAS with Bitwarden server 2024.4.1. What is Docker running on and what firewall is it trying to modify?

13

Wow. I never realised that until a few days ago when I started troubleshooting the first issue you are mentioning.
Then came across this, and I can confirm. If a new Bitwarden log file is generated, fail2ban does not pick it up and monitor it unless it is restarted.