From ec715d78fbd04fc4225808797677952dcdab5e37 Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Wed, 26 Dec 2018 11:54:31 -0500 Subject: [PATCH 1/3] Change log timestamp format so fail2ban can parse it --- src/main.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index 160d2f5f..0f0b6f78 100644 --- a/src/main.rs +++ b/src/main.rs @@ -71,7 +71,7 @@ fn init_logging() -> Result<(), fern::InitError> { .format(|out, message, record| { out.finish(format_args!( "{}[{}][{}] {}", - chrono::Local::now().format("[%Y-%m-%d][%H:%M:%S]"), + chrono::Local::now().format("[%Y-%m-%d %H:%M:%S]"), record.target(), record.level(), message From 473740c13a36f88a48a9eaf0d44c7d43e838047e Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Wed, 26 Dec 2018 12:07:16 -0500 Subject: [PATCH 2/3] Update fail2ban documentation for new logging format --- README.md | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 38c3642f..c53a12bd 100644 --- a/README.md +++ b/README.md @@ -451,27 +451,15 @@ Though this is unlikely to be required in small deployment, you can fine-tune so ### Fail2Ban Setup -Bitwarden_rs logs failed login attempts to stdout. We need to set this so the host OS can see these. Then we can setup Fail2Ban. +As of release 1.5.0, bitwarden_rs supports logging to file. See [Logging](#logging) above for information on how to set this up. #### Logging Failed Login Attempts to Syslog -We need to set the logging driver to syslog so the host OS and Fail2Ban can see them. +After specifying the log file location, failed login attempts will appear in the logs in the following format: -If you are using docker commands, you will need to add: `--log-driver syslog --log-opt tag=$TAG` to your command. - -If you are using docker-compose, add this to you yaml file: ``` - bitwarden: - logging: - driver: "syslog" - options: - tag: "$TAG" +[YYYY-MM-DD hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com. ``` -With the above settings in the docker-compose file. Any failed login attempts will look like this in your syslog file: -``` -MMM DD hh:mm:ss server-hostname $TAG[773]: [YYYY-MM-DD][hh:mm:ss][bitwarden_rs::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com. -``` -You can change the '$TAG' to anything you like. Just remember it because it will be in the Fail2Ban filter. #### Fail2Ban Filter @@ -485,11 +473,9 @@ And add the following before = common.conf [Definition] -_daemon = $TAG -failregex = ^%(__prefix_line)s.*Username or password is incorrect\. Try again\. IP: \. Username:.*$ +failregex = ^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$ ignoreregex = ``` -Dont forget to change the '$TAG' to what you set it as from above. #### Fail2Ban Jail @@ -504,7 +490,8 @@ enabled = true port = 80,443,8081 filter = bitwarden action = iptables-allports[name=bitwarden] -logpath = /var/log/syslog +logpath = /path/to/bitwarden/log +backend = polling maxretry = 3 bantime = 14400 findtime = 14400 From cd6e4a0ebd2b571cbae8f59e5f3594244c739cea Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Wed, 26 Dec 2018 12:14:54 -0500 Subject: [PATCH 3/3] Remove reference to syslog --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c53a12bd..afac0f31 100644 --- a/README.md +++ b/README.md @@ -453,7 +453,7 @@ Though this is unlikely to be required in small deployment, you can fine-tune so As of release 1.5.0, bitwarden_rs supports logging to file. See [Logging](#logging) above for information on how to set this up. -#### Logging Failed Login Attempts to Syslog +#### Logging Failed Login Attempts After specifying the log file location, failed login attempts will appear in the logs in the following format: