bitwarden_rs: setup fail2ban

2021-02-22 15:56:01 +01:00 · 2021-02-22 15:56:01 +01:00 · 80384b2afe
parent 25f45ec6f6
commit 80384b2afe
1 changed files with 33 additions and 0 deletions
--- a/services/bitwarden_rs.nix
+++ b/services/bitwarden_rs.nix
@ -91,6 +91,39 @@ in {
      paths = [ "/var/lib/bitwarden_rs" ];
      exclude = [ "/var/lib/bitwarden_rs/icon_cache" ];
    };
+
+    services.fail2ban.jails = {
+      bitwarden_rs = ''
+        enabled = true
+        filter = bitwarden_rs
+        port = http,https
+        maxretry = 5
+      '';
+
+      # Admin page isn't enabled by default, but just in case...
+      bitwarden_rs-admin = ''
+        enabled = true
+        filter = bitwarden_rs-admin
+        port = http,https
+        maxretry = 2
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/bitwarden_rs.conf".text = ''
+        [Definition]
+        failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
+        ignoreregex =
+        journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service
+      '';
+
+      "fail2ban/filter.d/bitwarden_rs-admin.conf".text = ''
+        [Definition]
+        failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
+        ignoreregex =
+        journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service
+      '';
+    };
  };

 }