bitwarden_rs: setup fail2ban
This commit is contained in:
parent
25f45ec6f6
commit
80384b2afe
|
@ -91,6 +91,39 @@ in {
|
||||||
paths = [ "/var/lib/bitwarden_rs" ];
|
paths = [ "/var/lib/bitwarden_rs" ];
|
||||||
exclude = [ "/var/lib/bitwarden_rs/icon_cache" ];
|
exclude = [ "/var/lib/bitwarden_rs/icon_cache" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.fail2ban.jails = {
|
||||||
|
bitwarden_rs = ''
|
||||||
|
enabled = true
|
||||||
|
filter = bitwarden_rs
|
||||||
|
port = http,https
|
||||||
|
maxretry = 5
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Admin page isn't enabled by default, but just in case...
|
||||||
|
bitwarden_rs-admin = ''
|
||||||
|
enabled = true
|
||||||
|
filter = bitwarden_rs-admin
|
||||||
|
port = http,https
|
||||||
|
maxretry = 2
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.etc = {
|
||||||
|
"fail2ban/filter.d/bitwarden_rs.conf".text = ''
|
||||||
|
[Definition]
|
||||||
|
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
|
||||||
|
ignoreregex =
|
||||||
|
journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service
|
||||||
|
'';
|
||||||
|
|
||||||
|
"fail2ban/filter.d/bitwarden_rs-admin.conf".text = ''
|
||||||
|
[Definition]
|
||||||
|
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
|
||||||
|
ignoreregex =
|
||||||
|
journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue