Hi
has anyone an easy way to harden self hosted Bitwarden with Fail2Ban?
I have tried in vain. I have read many posts but Fail2Ban never blocked.
The filter was correct and trying with
fail2ban-regex /root/bwdata/logs/identity/Identity/log.txt /etc/fail2ban/filter.d/bitwarden seemed to catch the correct lines. But the Jail never worked.
This is the standard self hosted BW running on Dietpi (debian).
Thx in advance
This was my config:
The log file is in /root/bwdata/logs/identity/Identity/log.txt
The lines to parse as wrong logins are:
2022-12-30 16:10:15.712 +00:00 [WRN] Failed login attempt, 2FA invalid. 192.168.2.40
/etc/fail2ban/filter.d/bitwarden.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = Bitwarden-Identity
failregex = ^%(__prefix_line)s\s*\[(?:W(?:RN|arning)|Bit\.Core\.[^\]]+)\]\s+Failed login attempt(?:, 2FA invalid)?\. $
/etc/fail2ban/jail.conf
[bitwarden]
enabled = true
port = 80,443
filter = bitwarden
#action = iptables-allports[name=bitwarden]
action = iptables-allports[name=bitwarden, chain=FORWARD]
logpath = /root/bwdata/logs/identity/Identity/log.txt
maxretry = 3
bantime = 14400
findtime = 14400
running fail2ban-client status bitwarden I always get
Status for the jail: bitwarden
- Filter
- Currently failed: 0
- Total failed: 0
- Journal matches:`
- Actions`
- Currently banned: 0
- Total banned: 0
- Banned IP list:`
Hi,
I got the same after upgrade to 2022.10.0. I changed my logpath in jail.local (jail.conf) from log.txt to *.txt, then it worked.
[bitwarden]
enabled = true
port = 80,443
filter = bitwarden
#action = iptables-allports[name=bitwarden]
action = iptables-allports[name=bitwarden, chain=FORWARD]
logpath = /opt/bitwarden/bwdata/logs/identity/Identity/*.txt
maxretry = 3
bantime = 14400
findtime = 14400
Hi
tried that. Still not working.
I think this is your problem, @manilx - your server is using RPi hardware, right? That can’t be a Bitwarden standard server install. That software does not run on ARM devices. You must be running server software created and distributed by someone other than Bitwarden. Could you please take your questions to their support community?
Nope, don’t know where you got that idea from. Running standard Docker Bitwarden install on a Debian VM/Proxmox (Dietpi distro).
I believe just from the naming of the Distro itself, there are so many too many to know them all 
But from what I can tell Dietpi is specialized to run on something even lightweight as a rRaspberry Pi and has ARM support, though if yours is on a Proxmox VM (hey another Proxmox homelabber) then it’s most likely running on the x86 which is also provided.
I believe David was just confused from the naming, as Bitwarden’s standard installer does not support ARM (but their new Unified beta does), though there has been much confusion on the topic as before the Unified beta, there are other 3rd party server software designed to look like an run Bitwarden clients.
Many articles incorrectly label these as being the same, but they are not and developers from both sides have attempted to make this clear, unfortunately there is still much confusion about it in the official community here.
Though steps are being taken to make the distinctions clearer as well for their respective communities. If you have any issues with the official product anyone in this community is glad to help. Even in the 3rd party communities, I have seen much engagement and support just wanting to be sure each product is being supported probably. 
My apologies then.
No problem.
I do use dietpi ontop of standard Debian11 on a X86 VM.
It removes A LOT of unneeded stuff and has build-in commands/scripts for 90% of daily admin jobs (backup, drive manager etc). So much easier than fiddling with bare bones Debian.
Anyway I install Fail2Ban via their software install (again because its easy and you can uninstall it). It blocks ssh etc just fine.
But Bitwarden is escaping me.
Adam from Bitwarden support suggested I post here if someone has tackled this:
" While our support channel is primarily intended to support Bitwarden installations, I appreciate that fail2ban is a popular tool in the self-hosting community, and having a viable configuration would be useful for our users."
So that’s what I have done.
Sounds good, and I think that’s a smart idea to use this distro for a lightweight VM.
This is a bit off-topic, so I hope you don’t mind, but why run the full BW docker stack rather than the BW unified docker container if you are trying to minimize your resource footprint on Proxmox? I recognize that the unified server is still in Beta, but it appears to be getting good reviews so far.
David
no special reason at all! I actually was using BW cloud (paid) and moved to Vaultwarden self-hosted because dietpi has an install for it and its one-click. I also had fail2ban working fine and blocking all false login attempts.
But then I saw a video from Lawrence Systems with howto install BW via Docker and I am a paying customer of BW. This is what I’ve done. Not that difficult also once I had that help.
I’ve seen the beta but as there was no hand holding I haven’t done that one.
I’m no Docker specialist or fan, need step by step info on that…
Actually I have now tried again and installed the beta.
I get to the login page but create user doesn’t do anything…
Hard to say what the issue is - did you check that your database is running and that the docker container is up and healthy? What do you get when you run docker ps in the host vm?
2143f8c410fe bitwarden/self-host:beta "/entrypoint.sh" 2 minutes ago Up 2 minutes 0.0.0.0:80->8080/tcp, :::80->8080/tcp root-bitwarden-1
4e1aebc4916e mariadb:10 "docker-entrypoint.s…" 19 minutes ago Up 19 minutes 3306/tcp root-db-1
4c76cb908d37 portainer/portainer-ce "/portainer" 44 minutes ago Up 20 minutes 8000/tcp, 9443/tcp, 0.0.0.0:9002->9000/tcp, :::9002->9000/tcp portainer
Seems all OK
Site entry is at port 80, ssl not working as I have no certs. I use Cloudflare tunnel from outside.
Have copied env vars from my other BW install (mail etc)
If that’s the case, you might try restarting the container. That may ‘kickstart’ things. Otherwise, you may have missed configuring something when you performed the initial setup. Did you follow the install instructions on Bitwarden.com? If so, I would be tempted to remove the container and just try again.
Did that 3 times now.
I just noted than when i scroll up I get a lot of:
WARN[0000] The "ai62" variable is not set. Defaulting to a blank string.
WARN[0000] The "ai62" variable is not set. Defaulting to a blank string.
WARN[0000] The "ai62" variable is not set. Defaulting to a blank string.
[+] Running 0/2
⠏ db Pulling 2.0s
⠋ 6e3729cf69e0 Pulling fs layer 0.0s
⠋ 0b2128efbd85 Pulling fs layer 0.0s
⠋ 94c8eab958ce Pulling fs layer 0.0s
⠋ 73cc9c81ae7f Waiting 0.0s
⠋ 20bcac65cb84 Waiting 0.0s
⠋ c4a9b64b12f6 Waiting 0.0s
⠋ 890f8c45a000 Waiting 0.0s
⠋ 97533be58132 Waiting 0.0s
⠏ bitwarden Pulling 2.0s
[+] Running 0/485 Waiting 0.0s
⠋ db Pulling 2.1s
⠙ 6e3729cf69e0 Pulling fs layer 0.1s
⠙ 0b2128efbd85 Pulling fs layer 0.1s
⠙ 94c8eab958ce Pulling fs layer 0.1s
⠙ 73cc9c81ae7f Waiting 0.1s
⠙ 20bcac65cb84 Waiting 0.1s
⠙ c4a9b64b12f6 Waiting 0.1s
⠙ 890f8c45a000 Waiting 0.1s
⠙ 97533be58132 Waiting 0.1s
⠋ bitwarden Pulling
Stuff pulling/waiting but nothing happens.
Not sure how long this is all taking, but if it doesn’t complete within a few minutes, there could be an issue. I would double-check all the config settings to be sure.
Not moving forward at all but web page loads and docker ps says all good.
Config seems fine.
Guess I’ll stay with what’s working 
Hey @manilx feel free to share the issue you ran into with Unified, on the Github repo as a bug report:
While the Bitwarden unified deployment remains in beta release, we encourage you to report issues and give feedback via GitHub. Please use this issue template to report anything related to your Bitwarden unified deployment and check out this page to track known issues or join the discussion.