diff --git a/ChangeLog b/ChangeLog index 238395f9..4768ee34 100644 --- a/ChangeLog +++ b/ChangeLog @@ -71,6 +71,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition by substitution of rich rule (gh-3815) * `filter.d/proxmox.conf` - add support to Proxmox Web GUI (gh-2966) * `filter.d/openvpn.conf` - new filter and jail for openvpn recognizing failed TLS handshakes (gh-2702) +* `filter.d/vaultwarden.conf` - new filter and jail for Vaultwarden (gh-3979) ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km ----------- diff --git a/config/filter.d/vaultwarden.conf b/config/filter.d/vaultwarden.conf new file mode 100644 index 00000000..63d78937 --- /dev/null +++ b/config/filter.d/vaultwarden.conf @@ -0,0 +1,8 @@ +# Fail2Ban filter for unsuccessful Vaultwarden authentication attempts +# Logged in /var/log/vaultwarden.log +# Author: LearningSpot + +[Definition] + +failregex = ^\s*(?:\[\]\s*)?\[vaultwarden::api::(identity||admin||core::two_factor::authenticator)\]\[ERROR\] (Invalid admin token||Invalid TOTP code||Username or password is incorrect)[\.!](?:\s+(?!IP:)\S+)* IP: (?:\. Username: \S+)? +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 5498f470..5d75f4f5 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -991,3 +991,7 @@ logpath = %(syslog_daemon)s [proxmox] port = https,http,8006 logpath = /var/log/daemon.log + +[vaultwarden] +port = http,https +logpath = /var/log/vaultwarden.log diff --git a/fail2ban/tests/files/logs/vaultwarden b/fail2ban/tests/files/logs/vaultwarden new file mode 100644 index 00000000..f797eeaf --- /dev/null +++ b/fail2ban/tests/files/logs/vaultwarden @@ -0,0 +1,23 @@ +# failJSON: { "time": "2024-08-31T02:11:22", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" } +[2024-08-31 02:11:22.129][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 2001:db8::b6d3:95d7:1425:766d. Username: test@example.com. + +# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "80.187.85.94" } +[2024-08-31 02:11:28.562][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 80.187.85.94. Username: test@example.com. + +# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "80.187.85.94" } +[2024-08-31 02:11:28.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 80.187.85.94 + +# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" } +[2024-08-31 02:11:28.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 2001:db8::b6d3:95d7:1425:766d + +# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "80.187.85.94" } +[2024-08-31 02:11:28.892][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-31 02:11:28 UTC IP: 80.187.85.94 + +# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" } +[2024-08-31 02:11:28.892][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-31 02:11:28 UTC IP: 2001:db8::b6d3:95d7:1425:766d + +# failJSON: { "time": "2024-08-30T20:11:28", "match": true , "host": "80.187.85.94" } +[2024-08-31 02:11:28.892+0800][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-30 18:11:28 UTC IP: 80.187.85.94 + +# failJSON: { "time": "2024-08-30T20:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" } +[2024-08-31 02:11:28.892+0800][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-30 18:11:28 UTC IP: 2001:db8::b6d3:95d7:1425:766d