From 80384b2afedb41e675f377ed34698e80621e8559 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 22 Feb 2021 15:56:01 +0100 Subject: [PATCH] bitwarden_rs: setup fail2ban --- services/bitwarden_rs.nix | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/services/bitwarden_rs.nix b/services/bitwarden_rs.nix index 8d26243..10ce7cc 100644 --- a/services/bitwarden_rs.nix +++ b/services/bitwarden_rs.nix @@ -91,6 +91,39 @@ in { paths = [ "/var/lib/bitwarden_rs" ]; exclude = [ "/var/lib/bitwarden_rs/icon_cache" ]; }; + + services.fail2ban.jails = { + bitwarden_rs = '' + enabled = true + filter = bitwarden_rs + port = http,https + maxretry = 5 + ''; + + # Admin page isn't enabled by default, but just in case... + bitwarden_rs-admin = '' + enabled = true + filter = bitwarden_rs-admin + port = http,https + maxretry = 2 + ''; + }; + + environment.etc = { + "fail2ban/filter.d/bitwarden_rs.conf".text = '' + [Definition] + failregex = ^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$ + ignoreregex = + journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service + ''; + + "fail2ban/filter.d/bitwarden_rs-admin.conf".text = '' + [Definition] + failregex = ^.*Invalid admin token\. IP: .*$ + ignoreregex = + journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service + ''; + }; }; }