diff --git a/Fail2Ban-Setup.md b/Fail2Ban-Setup.md index 2b94743..91d059d 100644 --- a/Fail2Ban-Setup.md +++ b/Fail2Ban-Setup.md @@ -12,6 +12,9 @@ Setting up Fail2ban will prevent attackers to brute force your vault logins. Thi - [Setup for admin page](#setup-for-admin-page) * [Filter](#filter-1) * [Jail](#jail-1) +- [Setup for TOTP codes](#setup-for-totp) + * [Filter](#filter-2) + * [Jail](#jail-2) - [Testing Fail2Ban](#testing-fail2ban) - [SELinux Problems](#selinux-problems) @@ -305,6 +308,55 @@ Reload fail2ban for changes to take effect: sudo systemctl reload fail2ban ``` +## Setup for TOTP +As a convention, `path_f2b` means the path needed for Fail2ban to work. This depends on your system. E.g. on Synology, we are talking about `/volumeX/docker/fail2ban/` where on some other systems we are talking about `/etc/fail2ban/` + +### Filter + +Create and fill the following file + +```INI +# path_f2b/filter.d/vaultwarden-totp.local +# Fail2Ban filter for Vaultwarden TOTP + +[INCLUDES] +before = common.conf + +[Definition] +failregex = ^.*\[ERROR\] Invalid TOTP code! Server time: (.*) UTC IP: $ +ignoreregex = +``` + +Example log: +``` +[YYYY-MM-DD hh:mm:ss][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: YYYY-MM-DD hh:mm:ss UTC IP: 1.2.3.4 +``` + +### Jail + +Create and fill the following file +```INI +# path_f2b/jail.d/vaultwarden-totp.local + +[vaultwarden-totp] +enabled = true +port = 80,443 +filter = vaultwarden-totp +banaction = iptables-multiport[name=vaultwarden-totp, port="80,443", protocol=tcp] +logpath = /path/to/vaultwarden.log +maxretry = 3 +bantime = 14400 +findtime = 14400 +``` + +Restart fail2ban for changes to take effect: + +```bash +sudo systemctl restart fail2ban +``` + +Feel free to change the options as you see fit. + ## Testing Fail2Ban Now just try to login to vaultwarden using any email (it doesn't have to be a valid email, just an email format) If it works correctly and your IP is banned, you can unban the IP by running: