added instructions to add totp protection

Fail2Ban-Setup.md

@@ -12,6 +12,9 @@ Setting up Fail2ban will prevent attackers to brute force your vault logins. Thi
 - [Setup for admin page](#setup-for-admin-page)
 	* [Filter](#filter-1)
 	* [Jail](#jail-1)
+- [Setup for TOTP codes](#setup-for-totp)
+    * [Filter](#filter-2)
+    * [Jail](#jail-2)
 - [Testing Fail2Ban](#testing-fail2ban)
 - [SELinux Problems](#selinux-problems)
 
@@ -305,6 +308,55 @@ Reload fail2ban for changes to take effect:
 sudo systemctl reload fail2ban
 ```
 
+## Setup for TOTP
+As a convention, `path_f2b` means the path needed for Fail2ban to work. This depends on your system. E.g. on Synology, we are talking about `/volumeX/docker/fail2ban/` where on some other systems we are talking about `/etc/fail2ban/`
+
+### Filter
+
+Create and fill the following file
+
+```INI
+# path_f2b/filter.d/vaultwarden-totp.local
+# Fail2Ban filter for Vaultwarden TOTP
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^.*\[ERROR\] Invalid TOTP code! Server time: (.*) UTC IP: <ADDR>$
+ignoreregex =
+```
+
+Example log:
+```
+[YYYY-MM-DD hh:mm:ss][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: YYYY-MM-DD hh:mm:ss UTC IP: 1.2.3.4
+```
+
+### Jail
+
+Create and fill the following file
+```INI
+# path_f2b/jail.d/vaultwarden-totp.local
+
+[vaultwarden-totp]
+enabled = true
+port = 80,443
+filter = vaultwarden-totp
+banaction = iptables-multiport[name=vaultwarden-totp, port="80,443", protocol=tcp]
+logpath = /path/to/vaultwarden.log
+maxretry = 3
+bantime = 14400
+findtime = 14400
+```
+
+Restart fail2ban for changes to take effect:
+
+```bash
+sudo systemctl restart fail2ban
+```
+
+Feel free to change the options as you see fit.
+
 ## Testing Fail2Ban
 Now just try to login to vaultwarden using any email (it doesn't have to be a valid email, just an email format)
 If it works correctly and your IP is banned, you can unban the IP by running: