From 6b57e460702e7fac440497c3fec38dbb1246e8f0 Mon Sep 17 00:00:00 2001
From: Rajib Sharia <rajibsharia@gmail.com>
Date: Tue, 1 Apr 2025 20:32:00 +0800
Subject: [PATCH 1/6] Create vaultwarden test log

---
 fail2ban/tests/files/logs/vaultwarden | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 fail2ban/tests/files/logs/vaultwarden

diff --git a/fail2ban/tests/files/logs/vaultwarden b/fail2ban/tests/files/logs/vaultwarden
new file mode 100644
index 00000000..e8961618
--- /dev/null
+++ b/fail2ban/tests/files/logs/vaultwarden
@@ -0,0 +1,23 @@
+# failJSON: { "time": "2024-08-31T02:11:22", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
+[2024-08-31 02:11:22.129][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 2001:db8::b6d3:95d7:1425:766d. Username: test@example.com.
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "80.187.85.94" }
+[2024-08-31 02:11:28.562][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 80.187.85.94. Username: test@example.com.
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "80.187.85.94" }
+[2024-08-31 02:11:28.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 80.187.85.94
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
+[2024-08-31 02:11:28.725][vaultwarden::api::admin][ERROR] Invalid admin token. IP: 2001:db8::b6d3:95d7:1425:766d
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "80.187.85.94" }
+[2024-08-31 02:11:28.892][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-31 02:11:28 UTC IP: 80.187.85.94
+
+# failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
+[2024-08-31 02:11:28.892][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-31 02:11:28 UTC IP: 2001:db8::b6d3:95d7:1425:766d
+
+# failJSON: { "time": "2024-08-30T18:11:28", "match": true , "host": "80.187.85.94" }
+[2024-08-31 02:11:28.892+0800][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-30 18:11:28 UTC IP: 80.187.85.94
+
+# failJSON: { "time": "2024-08-30T18:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
+[2024-08-31 02:11:28.892+0800][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-30 18:11:28 UTC IP: 2001:db8::b6d3:95d7:1425:766d

From c7f7bc55bbd36b6c3009af9dad0cb311da93d355 Mon Sep 17 00:00:00 2001
From: Rajib Sharia <rajibsharia@gmail.com>
Date: Tue, 1 Apr 2025 20:36:53 +0800
Subject: [PATCH 2/6] Create vaultwarden.conf

Filter for unsuccessful Vaultwarden authentication attempts
---
 config/filter.d/vaultwarden.conf | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 config/filter.d/vaultwarden.conf

diff --git a/config/filter.d/vaultwarden.conf b/config/filter.d/vaultwarden.conf
new file mode 100644
index 00000000..325395a6
--- /dev/null
+++ b/config/filter.d/vaultwarden.conf
@@ -0,0 +1,8 @@
+# Fail2Ban filter for unsuccessful Vaultwarden authentication attempts
+# Logged in /var/log/vaultwarden.log
+# Author: LearningSpot
+
+[Definition]
+
+failregex = \[vaultwarden::api::(identity||admin||core::two_factor::authenticator)\]\[ERROR\] (Invalid admin token||Invalid TOTP code||Username or password is incorrect)(.*) IP: <HOST>(?:\. Username: <F-USER>.+</F-USER>\.)?$
+ignoreregex =

From cf9135983cd9e71d3e87419a23703ad6741206cd Mon Sep 17 00:00:00 2001
From: Rajib Sharia <rajibsharia@gmail.com>
Date: Tue, 1 Apr 2025 20:40:15 +0800
Subject: [PATCH 3/6] Update jail.conf

Added jail for vaultwarden
---
 config/jail.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/jail.conf b/config/jail.conf
index 5498f470..5d75f4f5 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -991,3 +991,7 @@ logpath = %(syslog_daemon)s
 [proxmox]
 port = https,http,8006
 logpath = /var/log/daemon.log
+
+[vaultwarden]
+port = http,https
+logpath = /var/log/vaultwarden.log

From 6104444bb4bbe96a2a44d16c38c1dfd13626b219 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Tue, 1 Apr 2025 17:28:58 +0200
Subject: [PATCH 4/6] improve regex (anchored from left, no catch-alls,
 `<ADDR>` for IP, etc)

---
 config/filter.d/vaultwarden.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/vaultwarden.conf b/config/filter.d/vaultwarden.conf
index 325395a6..63d78937 100644
--- a/config/filter.d/vaultwarden.conf
+++ b/config/filter.d/vaultwarden.conf
@@ -4,5 +4,5 @@
 
 [Definition]
 
-failregex = \[vaultwarden::api::(identity||admin||core::two_factor::authenticator)\]\[ERROR\] (Invalid admin token||Invalid TOTP code||Username or password is incorrect)(.*) IP: <HOST>(?:\. Username: <F-USER>.+</F-USER>\.)?$
+failregex = ^\s*(?:\[\]\s*)?\[vaultwarden::api::(identity||admin||core::two_factor::authenticator)\]\[ERROR\] (Invalid admin token||Invalid TOTP code||Username or password is incorrect)[\.!](?:\s+(?!IP:)\S+)* IP: <ADDR>(?:\. Username: <F-USER>\S+</F-USER>)?
 ignoreregex =

From 426eeca62a0ca69ca28ccb9c944f9a8f35a24dad Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Wed, 2 Apr 2025 13:52:58 +0200
Subject: [PATCH 5/6] fixed times in test-log (test suite working in TZ CET)

---
 fail2ban/tests/files/logs/vaultwarden | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fail2ban/tests/files/logs/vaultwarden b/fail2ban/tests/files/logs/vaultwarden
index e8961618..f797eeaf 100644
--- a/fail2ban/tests/files/logs/vaultwarden
+++ b/fail2ban/tests/files/logs/vaultwarden
@@ -16,8 +16,8 @@
 # failJSON: { "time": "2024-08-31T02:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
 [2024-08-31 02:11:28.892][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-31 02:11:28 UTC IP: 2001:db8::b6d3:95d7:1425:766d
 
-# failJSON: { "time": "2024-08-30T18:11:28", "match": true , "host": "80.187.85.94" }
+# failJSON: { "time": "2024-08-30T20:11:28", "match": true , "host": "80.187.85.94" }
 [2024-08-31 02:11:28.892+0800][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-30 18:11:28 UTC IP: 80.187.85.94
 
-# failJSON: { "time": "2024-08-30T18:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
+# failJSON: { "time": "2024-08-30T20:11:28", "match": true , "host": "2001:db8::b6d3:95d7:1425:766d" }
 [2024-08-31 02:11:28.892+0800][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-08-30 18:11:28 UTC IP: 2001:db8::b6d3:95d7:1425:766d

From 70ce1cef086e36d73caaf9def3f18719e78504a0 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Wed, 2 Apr 2025 14:40:04 +0200
Subject: [PATCH 6/6] Update ChangeLog

---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index 238395f9..4768ee34 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -71,6 +71,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
   by substitution of rich rule (gh-3815)
 * `filter.d/proxmox.conf` - add support to Proxmox Web GUI (gh-2966)
 * `filter.d/openvpn.conf` - new filter and jail for openvpn recognizing failed TLS handshakes (gh-2702)
+* `filter.d/vaultwarden.conf` - new filter and jail for Vaultwarden (gh-3979)
 
 ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km
 -----------