How to install and configure fail2ban with Bitwarden standard Docker install

Hi

It has taken me a while but I managed to install and configure fail2ban in an Ubuntu 22 VM running the self hosted Bitwarden Docker install from Install and Deploy - Linux | Bitwarden Help Center.

Here is a short/concise description of the steps I have taken:

The following change is needed in Bitwarden environment variables after install to create correct log files.

nano ~/bwdata/env/global.override.env

globalSettings__logRollBySizeLimit=1073741824

Now install and configure Fail2ban

install

sudo apt install fail2ban

add jail

nano /etc/fail2ban/jail.conf

Search for the [bitwarden] jail configuration block, delete and replace with (modify last 4 lines as needed)

[bitwarden]
enabled = true
port = 80,443
filter = bitwarden
#action = iptables-allports[name=bitwarden]
action = iptables-allports[name=bitwarden, chain=FORWARD]
logpath = /root/bwdata/logs/identity/Identity/*.txt
maxretry = 5
bantime = 1h
findtime = 10m
ignoreip=127.0.0.1/8 ::1

enable fail2ban service

sudo systemctl enable fail2ban

start fail2ban

sudo systemctl start fail2ban

check if running

sudo systemctl status fail2ban.service

You should get:

● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2023-01-04 19:06:58 UTC; 14h ago
Docs: man:fail2ban(1)
Process: 28657 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 28658 (f2b/server)
Tasks: 7 (limit: 76987)
Memory: 13.4M
CPU: 19.478s
CGroup: /system.slice/fail2ban.service
└─28658 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jan 04 19:06:58 BW systemd[1]: Starting Fail2Ban Service…
Jan 04 19:06:58 BW systemd[1]: Started Fail2Ban Service.
Jan 04 19:06:58 BW fail2ban-server[28658]: Server ready

check fail2ban ban status

fail2ban-client status bitwarden

If all is OK you should get

Status for the jail: bitwarden
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /root/bwdata/logs/identity/Identity/log.txt - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

To unban:

unban all
fail2ban-client unban —all
unban ip
fail2ban-client unban xx.xx.xx.xx

Useful links:
https://www.fail2ban.org/wiki/index.php/Fail2Ban
https://www.fail2ban.org/wiki/index.php/Manual

Thanks Adam from support for helping on this.

Hope it helps others. While Bitwarden as is, is supposed to be safe on its own when exposed to the internet (there’s no way around it when self hosting) it certainly helps to have an additional layer of security.

5 Likes

Great guide - thanks so much for sharing that with us!

1 Like

Thanks to Manilx for working this through with me! I don’t really have very much to add to the above, but need to make a comment so that we can add a ‘solved’ tag so that others can find this in the future :rofl:

Just wanted to say that in my test instance, I didn’t need to make any changes to the logsizes in global.override, so this should be fine with the default configuration too.

In the [bitwarden] jail block, the given logpath is at

Our standard guide would have that log path at /opt/bitwarden/bwdata/logs/identity/Identity/*.txt, however remember to configure this to wherever you installed Bitwarden (from where you ran the bitwarden.sh install command)

Finally a quick reminder that the systemctl daemon-reload & systemctl restart fail2ban commands can be useful for making changes to the fail2ban service without having to reboot the machine (systemctl(1) - Linux manual page)

Would love to hear about any further customisations that our users find useful!

1 Like

I have another useful addition

nano /etc/profile.d/jailstatus.sh

Add:

/usr/bin/fail2ban-client status bitwarden

chmod +x jailstatus.sh

Now each time you login you get the current fail2ban status, so you can see if there are blocks by just logging in.

Hello everybody,
does it make sense to use additional an nginx proxy? If yes how to setup?
Thank you
Greetings
M

You could. I use a Cloudflare tunnel.

Thank you for this guide! I’m still having some difficulty, though.

  1. My distro’s latest version of fail2ban (0.10.2-2) doesn’t have a bitwarden jail in the jail.conf file - is this something you had to set up yourself? I can create the jail and the filter myself if need be, but I’d love to see the regex you used.

  2. When I look at login failures in Bitwarden’s identity log, they don’t report the actual origin IP address - I only get the docker network host address, e.g.:

      Failed login attempt. 172.21.0.1

Were there additional changes you needed to make in order to get the actual IP to block?

1 Like

Since it took me a while to find, I’ll reshare my findings here:
To get the actual origin IP to show up (not the docker network host), you’ll need to add the following to bwdata/config.yml:

real_ips:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16

Then it should work!

Originally found answer from here: Log failed login attempts · Issue #604 · bitwarden/server · GitHub

1 Like