Merge pull request #3979 from LearningSpot/vaultwarden

Added jail for Vaultwarden
2025-04-02 14:41:38 +02:00 · 2025-04-02 14:41:38 +02:00 · bfd80ce522
parent fc3e8a5d37 70ce1cef08
commit bfd80ce522
4 changed files with 36 additions and 0 deletions
--- a/1
+++ b/1
@ -71,6 +71,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
  by substitution of rich rule (gh-3815)
 * `filter.d/proxmox.conf` - add support to Proxmox Web GUI (gh-2966)
 * `filter.d/openvpn.conf` - new filter and jail for openvpn recognizing failed TLS handshakes (gh-2702)
+* `filter.d/vaultwarden.conf` - new filter and jail for Vaultwarden (gh-3979)

 ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km
 -----------
--- a/config/filter.d/vaultwarden.conf
+++ b/config/filter.d/vaultwarden.conf
@ -0,0 +1,8 @@
+# Fail2Ban filter for unsuccessful Vaultwarden authentication attempts
+# Logged in /var/log/vaultwarden.log
+# Author: LearningSpot
+
+[Definition]
+
+failregex = ^\s*(?:\[\]\s*)?\[vaultwarden::api::(identity||admin||core::two_factor::authenticator)\]\[ERROR\] (Invalid admin token||Invalid TOTP code||Username or password is incorrect)[\.!](?:\s+(?!IP:)\S+)* IP: <ADDR>(?:\. Username: <F-USER>\S+</F-USER>)?
+ignoreregex =
--- a/config/jail.conf
+++ b/config/jail.conf
@ -991,3 +991,7 @@ logpath = %(syslog_daemon)s
 [proxmox]
 port = https,http,8006
 logpath = /var/log/daemon.log
+
+[vaultwarden]
+port = http,https
+logpath = /var/log/vaultwarden.log
--- a/fail2ban/tests/files/logs/vaultwarden
+++ b/fail2ban/tests/files/logs/vaultwarden
@ -0,0 +1,23 @@
+# failJSON: { "time": "2024-08-31T02:11:22", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
+[2024-08-31 02:11:22.129][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 2001:db8::b6d3:95d7:1425:766d. Username: test@example.com.
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "80.187.85.94" }
+[2024-08-31 02:11:28.562][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 80.187.85.94. Username: test@example.com.
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "80.187.85.94" }
+[2024-08-31 02:11:28.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 80.187.85.94
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
+[2024-08-31 02:11:28.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 2001:db8::b6d3:95d7:1425:766d
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "80.187.85.94" }
+[2024-08-31 02:11:28.892][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-31 02:11:28 UTC IP: 80.187.85.94
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
+[2024-08-31 02:11:28.892][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-31 02:11:28 UTC IP: 2001:db8::b6d3:95d7:1425:766d
+
+# failJSON: { "time": "2024-08-30T20:11:28", "match": true , "host": "80.187.85.94" }
+[2024-08-31 02:11:28.892+0800][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-30 18:11:28 UTC IP: 80.187.85.94
+
+# failJSON: { "time": "2024-08-30T20:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
+[2024-08-31 02:11:28.892+0800][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-30 18:11:28 UTC IP: 2001:db8::b6d3:95d7:1425:766d