rhino/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-22 09:49:20 -07:00
Code Issues Packages Projects Releases Wiki Activity

Adding Fail2ban on Synology setup

sosandroid
2020-03-23 21:50:03 +01:00
parent 7190a95a41
commit b2ce95ea8b
1 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
Fail2Ban-Setup.md

@@ -122,3 +122,78 @@ type=AVC msg=audit(1571777936.719:2193): avc: denied { search } for pid=5853
``` ```
To actually find out the reason you can use `grep 'type=AVC msg=audit(1571777936.719:2193)' /var/log/audit/audit.log | audit2why`. `audit2allow -a` will give you specific instructions on how to create a module and allow fail2ban to access these logs. Follow these steps and you're done! fail2ban should now work correctly. To actually find out the reason you can use `grep 'type=AVC msg=audit(1571777936.719:2193)' /var/log/audit/audit.log | audit2why`. `audit2allow -a` will give you specific instructions on how to create a module and allow fail2ban to access these logs. Follow these steps and you're done! fail2ban should now work correctly.
## Setup on Synology
Synology, due to DSM system need a bit more work. The main constrains are:
1. The embeded IP ban system does not work on Docker's containers
2. The iptables embeded do no support the `REJECT` instruction
3. The Docker GUI does not allow some advanced settings
I choosed to rely on [crazy-max/docker-fail2ban](https://github.com/crazy-max/docker-fail2ban). Please adapt the following to your context
`mkdir /volumeX/docker/fail2ban`
`touch /volumeX/docker/fail2ban/action.d/iptables-common.local`
Copy and paste the following content - this replace `REJECT` by `DROP`
````
[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP
````
`touch /volumeX/docker/fail2ban/filter.d/bitwarden.conf`
Copy and paste the following content
````
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
````
`touch /volumeX/docker/fail2ban/jail.d/bitwarden.conf`
Copy and paste the following content
````
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.0/22
bantime = 6400
findtime = 86400
maxretry = 4
backend = auto
action = iptables-allports[name=bitwarden]
[bitwarden]
enabled = true
port = 80,81,443,8081
filter = bitwarden
logpath = /bitwarden/bitwarden.log
````
`touch /volumeX/docker/fail2ban/docker-compose.yml`
Copy and paste the following content
````
version: '3'
services:
fail2ban:
container_name: fail2ban
restart: always
image: crazymax/fail2ban:latest
environment:
- TZ=Europe/Paris
- F2B_DB_PURGE_AGE=30d
- F2B_LOG_TARGET=/data/fail2ban.log
- F2B_LOG_LEVEL=DEBUG
- F2B_IPTABLES_CHAIN=INPUT
volumes:
- /volumeX/docker/fail2ban:/data
- /volumeX/docker/bw-data:/bitwarden:ro
network_mode: "host"
privileged: true
cap_add:
- NET_ADMIN
- NET_RAW
````
Run the container using `docker-compose up -d`
You now have to test the jail