Jump to content
Roxedus

[support] Bitwardenrs Bitwarden_rs

209 posts in this topic Last Reply

Recommended Posts

1 hour ago, Konfitüre said:

where can I find the bwdata folder?

The bwdata is the appdata folder. 

Share this post


Link to post

I've had this set up for a few months and love it.  

 

However, I can't seem to access the admin page.  If I replace the "Admin Token" with a new one in the docker config, and subsequently enter that value into the Admin page password, I get an Invalid Token error.

 

Am I missing something obvious?

Share this post


Link to post
On 4/22/2020 at 11:11 PM, Roxedus said:

I added the following to my reverse proxy for the admin panel
 


	location /admin {
		return 404;
	}

I only access the panel locally using the direct ip.

Worked like a charm, thanks! 

Share this post


Link to post
On 4/22/2020 at 10:11 PM, Roxedus said:

I added the following to my reverse proxy for the admin panel
 


	location /admin {
		return 404;
	}

I only access the panel locally using the direct ip.

This works perfectly. very nice.  Using the letsencrypt docker. ip/admin works sub/domain/admin error

 

normally im only using the IP because its internal only.  But the web vault stopped working needed the https. That is only possible with the certificate.

 

which makes the letsencrypt docker easy. I use the DNS plugin there. So only adding the bitwarden. subdomain and done it works. (When added to the DNS of the domain)

Share this post


Link to post
On 4/18/2020 at 3:54 PM, rilles said:

So I watch space invaders video and a few others and my head was exploding in anger and frustration.  I don't want to expose this to the internet, I don't want a domain and I don't need a real cert, waaay too much fiddling.

 

So scraped the bitwarden_rs docker site and they have a few easier suggestions - the one I used was Caddy 1.x (also a unraid docker)

 

https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples

 

you can't use localhost so make sure you enter your server IP address, and I enabled "tls self_signed"

 

works fine for me now on all browsers.

 

i want the same thing you have. Also i already have a domain. setting it up was very easy but that beside the point.  I have it currently open to the interwebs Except for the /admin that is not avail via web only via Lan.

 

Looking at fail2ban which is included in the letsencrypt docker if i can make that very ban happy.

Share this post


Link to post
Posted (edited)

I have no clue if this is the correct area to post this but I need some help with Bitwardenrs.

I have it installed for the last 3 months and is working well. Got all my family tied into it so we are all happy.

Now my problem comes with using 2FA. I use a YubiKey for 90% of all my 2FA, but it seems that it does not play nice with Bitwardenrs.

It will not recognize certain aspects odf the YubiKey, like otp. And as well it it gives me time sync errors.

I did find a piece of docker code they said that needs to be installed but I do not know how to do it on unRaid.

docker run -d --name bitwarden \
  -e YUBICO_CLIENT_ID=12345 \
  -e YUBICO_SECRET_KEY=ABCDEABCDEABCDEABCDE= \
  -v /bw-data/:/data/ \
  -p 80:80 \
  bitwardenrs/server:latest

Can anyone shed some light on this for me.

Thanks so much

Edited by carltonb

Share this post


Link to post

He Guys,

 

I was wondering if somebody could give me a hand to get this HTTPS working. I would like to try Bitwarden locally only because I don't like the idea of my password manager accessible from the internet with a reverse proxy like in the video of Spaceinvader one.

 

I tried a lot of things but I just cannot get it to work. I tried installing Caddy, Nginx Proxy Manger etc but no go. I would appreciate any help. I have Nextcloud up and running as per Spaceinvader one's video. So Let's Encrypt is working. I recently changed the repo to "swag" though. As the other repo was depreciated due to copyright issues if I understand it correctly.

 

Side question: nobody here has any trouble with your password manager accessible from the internet? I mean (correct me if I am wrong) everybody who has the address can (try) to access you vault right? Sure there is the log in but somehow it feels less secure than an instance like openVPN or Wireguard. What are you're thoughts?

 

gr Piet

Share this post


Link to post
He Guys,

 

I was wondering if somebody could give me a hand to get this HTTPS working. I would like to try Bitwarden locally only because I don't like the idea of my password manager accessible from the internet with a reverse proxy like in the video of Spaceinvader one.

 

I tried a lot of things but I just cannot get it to work. I tried installing Caddy, Nginx Proxy Manger etc but no go. I would appreciate any help. I have Nextcloud up and running as per Spaceinvader one's video. So Let's Encrypt is working. I recently changed the repo to "swag" though. As the other repo was depreciated due to copyright issues if I understand it correctly.

 

Side question: nobody here has any trouble with your password manager accessible from the internet? I mean (correct me if I am wrong) everybody who has the address can (try) to access you vault right? Sure there is the log in but somehow it feels less secure than an instance like openVPN or Wireguard. What are you're thoughts?

 

gr Piet

I use 2FA and email setup for failed logins. I feel safe. Also there maybe Fail2ban built in

 

Sent from my Pixel 4 XL using Tapatalk

 

 

 

Share this post


Link to post
On 9/9/2020 at 8:53 AM, poeterdebier said:

 

Side question: nobody here has any trouble with your password manager accessible from the internet? I mean (correct me if I am wrong) everybody who has the address can (try) to access you vault right? Sure there is the log in but somehow it feels less secure than an instance like openVPN or Wireguard. What are you're thoughts?

 

gr Piet

I have a few dockers open to the net, but i set a firewall rule on my router to only accept specific port requests from one IP which is my VPN IP. That way only i can access it, as the VPN is run by myself.

Share this post


Link to post

Hi, 

 

I'm hoping someone could give me some specific advice regarding Bitwarden and Fail2ban? 

 

I've spent over a week getting SWAG & Fail2ban setup, and the nice folks over on the SWAG thread have helped me out a great deal. My problem now however is bitwarden specific. 

 

I have added the extra parameters; "-e LOG_FILE=/data/bitwarden.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true" to the bitwarden container and mapped SWAG to the newly created bitwarden log file. I have updated both "bitwarden.subdomain.conf" and "jail.local" however if I access my bitwarden page remotely and make several invalid login attempts, nothing happens, I'm allowed to keep continuing. 

 

Looking in the bitwarden log, it correctly lists all the login attempts. Looking in the fail2ban log however and there does not appear to be any mention of the login attempts. 

 

Since setting up SWAG and Fail2ban, this is the first program I've tried linking and so I've got no other to compare with. 

 

I have included below cut and pastes of the two mentioned files above along with my bitwarden.subdomain.conf in the hopes that someone can help. 

 

Many thanks. 

 

jail.local (email, password and destination redacted)

Quote

## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container

[DEFAULT]

action = iptables-allports
                %(action_mw)s[from=XXXXX@XXXXX.XXX, password=XXXXX, destination=XXXXX@XXXXX.XXX, sendername=Fail2Ban]

# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
banaction = iptables-allports

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /config/log/nginx/error.log
maxretry = 6


[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
ignoreip = 192.168.1.0/24


[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /config/log/nginx/access.log
maxretry = 2


[nginx-botsearch]

enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /config/log/nginx/access.log

[nginx-deny]

enabled  = true
port     = http,https
filter   = nginx-deny
logpath  = /config/log/nginx/error.log

 

[bitwardenrs]

enabled = true
port = http,https
filter = bitwardenrs
action = iptables-allports[name=bitwardenrs]
logpath = /bitwarden/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400

 

bitwardenrs.local

Quote

# Fail2Ban filter for Bitwarden
# Detecting failed login attempts
# Logged in bwdata/logs/identity/Identity/log.txt

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

 

bitwarden.subdomain.conf

Quote

# make sure that your dns has a cname set for bitwarden and that your bitwarden container is not using a base url
# make sure your bitwarden container is named "bitwarden"
# set the environment variable WEBSOCKET_ENABLED=true on your bitwarden container

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bitwarden.*;

    include /config/nginx/ssl.conf;

#COUNTRY GEO BLOCK
    if ($allowed_country = no) {
    return 444;
    }

    client_max_body_size 128M;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /admin {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 3012;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub/negotiate {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Edited by LoneTraveler

Share this post


Link to post
1 minute ago, LoneTraveler said:

Fail2ban setup

The bitwarden filter that comes with fail2ban is not for bitwarden_rs. You need to create a new file, and use the correct failregex. This is the filter I use. As noted you have to call it something else than bitwarden.conf, i called it bitwarden_rs.conf

Share this post


Link to post
8 minutes ago, Roxedus said:

The bitwarden filter that comes with fail2ban is not for bitwarden_rs. You need to create a new file, and use the correct failregex. This is the filter I use. As noted you have to call it something else than bitwarden.conf, i called it bitwarden_rs.conf

Hi, 

 

Wow, that was a quick reply, thanks. 

 

I've updated my bitwardenrs.local file as imaged below, using the template you provided, however after restarting Fail2ban I am unfortunately still able to make repeated login attempts.

 

 

20200921_145554.jpg

Share this post


Link to post
1 minute ago, Roxedus said:

What does your jail look like?

 

jail.local

Quote

## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container

 

[DEFAULT]

 

action = iptables-allports
                %(action_mw)s[from=XXXXX@XXXXX.XXX, password=XXXXX, destination=XXXXX@XXXXX.XXX, sendername=Fail2Ban]

 

# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".

banaction = iptables-allports

 

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

 

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

 

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /config/log/nginx/error.log
maxretry = 6


[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
ignoreip = 192.168.1.0/24


[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /config/log/nginx/access.log
maxretry = 2


[nginx-botsearch]

enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /config/log/nginx/access.log

 

[nginx-deny]

enabled  = true
port     = http,https
filter   = nginx-deny
logpath  = /config/log/nginx/error.log

 

[bitwardenrs]

enabled = true
port = http,https
filter = bitwardenrs
action = iptables-allports[name=bitwardenrs]
logpath = /bitwarden/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400

 

Share this post


Link to post

I'm uncertain if it helps, but in the fail2ban log, it shows an error of;

Quote

2020-09-21 14:53:17,501 fail2ban                [392]: ERROR   NOK: ('Action iptables-allports already exists',)

I don't know if that has anything to do with Bitwarden or not? 

Share this post


Link to post

Ok, that logline indicates that f2b doesnt start afaik. I dont have any default banaction, but i imagine defining the same action twice isnt optimal

Share this post


Link to post

Looking at my fail2ban log in full since it's last restart reports this;

 

Quote

2020-09-21 14:53:17,422 fail2ban.server         [392]: INFO    Starting Fail2ban v0.11.1

2020-09-21 14:53:17,423 fail2ban.observer       [392]: INFO    Observer start...

2020-09-21 14:53:17,474 fail2ban.database       [392]: INFO    Connected to fail2ban persistent database '/config/fail2ban/fail2ban.sqlite3'

2020-09-21 14:53:17,477 fail2ban.jail           [392]: INFO    Creating new jail 'nginx-http-auth'

2020-09-21 14:53:17,482 fail2ban.jail           [392]: INFO    Jail 'nginx-http-auth' uses poller {}

2020-09-21 14:53:17,482 fail2ban.jail           [392]: INFO    Initiated 'polling' backend

2020-09-21 14:53:17,494 fail2ban.filter         [392]: INFO      maxRetry: 5

2020-09-21 14:53:17,494 fail2ban.filter         [392]: INFO      findtime: 600

2020-09-21 14:53:17,494 fail2ban.actions        [392]: INFO      banTime: 600

2020-09-21 14:53:17,495 fail2ban.filter         [392]: INFO      encoding: UTF-8

2020-09-21 14:53:17,498 fail2ban.filter         [392]: INFO    Added logfile: '/config/log/nginx/error.log' (pos = 0, hash = 47f858d36526d1ef0a7f76c716c9701d41b5a948)

2020-09-21 14:53:17,499 fail2ban.transmitter    [392]: WARNING Command ['server-stream', [['set', 'syslogsocket', 'auto'], ['set', 'loglevel', 'INFO'], ['set', 'logtarget', '/config/log/fail2ban/fail2ban.log'], ['set', 'dbfile', '/config/fail2ban/fail2ban.sqlite3'], ['set', 'dbmaxmatches', 10], ['set', 'dbpurgeage', '1d'], ['add', 'nginx-http-auth', 'auto'], ['set', 'nginx-http-auth', 'usedns', 'warn'], ['set', 'nginx-http-auth', 'addfailregex', '^ \\[error\\] \\d+#\\d+: \\*\\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\\"]*"), client: <HOST>, server: \\S*, request: "\\S+ \\S+ HTTP/\\d+\\.\\d+", host: "\\S+"(?:, referrer: "\\S+")?\\s*$'], ['set', 'nginx-http-auth', 'datepattern', '{^LN-BEG}'], ['set', 'nginx-http-auth', 'maxretry', 5], ['set', 'nginx-http-auth', 'maxmatches', 5], ['set', 'nginx-http-auth', 'findtime', '600'], ['set', 'nginx-http-auth', 'bantime', '600'], ['set', 'nginx-http-auth', 'ignorecommand', ''], ['set', 'nginx-http-auth', 'addignoreip', '192.168.1.0/24'], ['set', 'nginx-http-auth', 'logencoding', 'auto'], ['set', 'nginx-http-auth', 'addlogpath', '/config/log/nginx/error.log', 'head'], ['set', 'nginx-http-auth', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-http-auth', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-http-auth\n<iptables> -A f2b-nginx-http-auth -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-http-auth'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-http-auth\n<iptables> -F f2b-nginx-http-auth\n<iptables> -X f2b-nginx-http-auth'], ['actionflush', '<iptables> -F f2b-nginx-http-auth'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-http-auth[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-http-auth 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-http-auth -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'nginx-http-auth'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-http-auth', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-http-auth', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-http-auth\n<iptables> -A f2b-nginx-http-auth -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-http-auth'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-http-auth\n<iptables> -F f2b-nginx-http-auth\n<iptables> -X f2b-nginx-http-auth'], ['actionflush', '<iptables> -F f2b-nginx-http-auth'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-http-auth[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-http-auth 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-http-auth -s <ip> -j <blocktype>'], ['name', 'nginx-http-auth'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-http-auth', 'addaction', 'sendmail-whois'], ['multi-set', 'nginx-http-auth', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] nginx-http-auth: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-http-auth has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] nginx-http-auth: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-http-auth has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] nginx-http-auth: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX.XXX\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against nginx-http-auth.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX.XXX -apXXXXX XXXXX@XXXXX.XXX'], ['actionunban', 'printf %b "Subject: [Fail2Ban] nginx-http-auth: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX.XXX\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX.XXX -apXXXXX XXXXX@XXXXX.XXX'], ['norestored', True], ['name', 'nginx-http-auth'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', 'XXXXX@XXXXX.XXX'], ['password', 'XXXXX'], ['destination', 'XXXXX@XXXXX.XXX'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'nginx-botsearch', 'auto'], ['set', 'nginx-botsearch', 'usedns', 'warn'], ['multi-set', 'nginx-botsearch', 'addfailregex', ['^<HOST> \\- \\S+ \\[\\] \\"(GET|POST|HEAD) \\/\\/?(roundcube|(ext)?mail|horde|(v-?)?webmail|(typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)|wp-(login|signup|admin)\\.php|cgi-bin|mysqladmin)[^,]* \\S+\\" 404 .+$', '^ \\[error\\] \\d+#\\d+: \\*\\d+ (\\S+ )?\\"\\S+\\" (failed|is not found) \\(2\\: No such file or directory\\), client\\: <HOST>\\, server\\: \\S*\\, request: \\"(GET|POST|HEAD) \\/\\/?(roundcube|(ext)?mail|horde|(v-?)?webmail|(typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)|wp-(login|signup|admin)\\.php|cgi-bin|mysqladmin)[^,]* \\S+\\"\\, .*?$']], ['set', 'nginx-botsearch', 'datepattern', '{^LN-BEG}%ExY(?P<_sep>[-/.])%m(?P=_sep)%d[T ]%H:%M:%S(?:[.,]%f)?(?:\\s*%z)?\n^[^\\[]*\\[({DATE})\n{^LN-BEG}'], ['set', 'nginx-botsearch', 'maxretry', 2], ['set', 'nginx-botsearch', 'maxmatches', 2], ['set', 'nginx-botsearch', 'findtime', '600'], ['set', 'nginx-botsearch', 'bantime', '600'], ['set', 'nginx-botsearch', 'ignorecommand', ''], ['set', 'nginx-botsearch', 'logencoding', 'auto'], ['set', 'nginx-botsearch', 'addlogpath', '/config/log/nginx/access.log', 'head'], ['set', 'nginx-botsearch', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-botsearch', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-botsearch\n<iptables> -A f2b-nginx-botsearch -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-botsearch'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-botsearch\n<iptables> -F f2b-nginx-botsearch\n<iptables> -X f2b-nginx-botsearch'], ['actionflush', '<iptables> -F f2b-nginx-botsearch'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-botsearch[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-botsearch 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-botsearch -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'nginx-botsearch'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-botsearch', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-botsearch', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-botsearch\n<iptables> -A f2b-nginx-botsearch -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-botsearch'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-botsearch\n<iptables> -F f2b-nginx-botsearch\n<iptables> -X f2b-nginx-botsearch'], ['actionflush', '<iptables> -F f2b-nginx-botsearch'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-botsearch[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-botsearch 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-botsearch -s <ip> -j <blocktype>'], ['name', 'nginx-botsearch'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-botsearch', 'addaction', 'sendmail-whois'], ['multi-set', 'nginx-botsearch', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] nginx-botsearch: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-botsearch has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] nginx-botsearch: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-botsearch has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] nginx-botsearch: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX.XXX\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against nginx-botsearch.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX.XXX -apXXXXX XXXXX@XXXXX'], ['actionunban', 'printf %b "Subject: [Fail2Ban] nginx-botsearch: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['norestored', True], ['name', 'nginx-botsearch'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', 'XXXXX@XXXXX'], ['password', 'XXXXX'], ['destination', 'XXXXX@XXXXX'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'ssh', 'auto'], ['set', 'ssh', 'usedns', 'warn'], ['set', 'ssh', 'prefregex', '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'], ['set', 'ssh', 'maxlines', 1], ['multi-set', 'ssh', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^refused connect from \\S+ \\(<HOST>\\)', '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', "^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$", '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:', '^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.+?</F-USER>)? <HOST>(?:(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$', '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)', '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>']], ['set', 'ssh', 'datepattern', '{^LN-BEG}'], ['set', 'ssh', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd'], ['set', 'ssh', 'maxretry', 6], ['set', 'ssh', 'maxmatches', 6], ['set', 'ssh', 'findtime', '600'], ['set', 'ssh', 'bantime', '600'], ['set', 'ssh', 'ignorecommand', ''], ['set', 'ssh', 'logencoding', 'auto'], ['set', 'ssh', 'addlogpath', '/config/log/nginx/error.log', 'head'], ['set', 'ssh', 'addaction', 'iptables-allports'], ['multi-set', 'ssh', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-ssh\n<iptables> -A f2b-ssh -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-ssh'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-ssh\n<iptables> -F f2b-ssh\n<iptables> -X f2b-ssh'], ['actionflush', '<iptables> -F f2b-ssh'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-ssh[ \\t]'"], ['actionban', '<iptables> -I f2b-ssh 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-ssh -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'ssh'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'ssh', 'addaction', 'iptables-allports'], ['multi-set', 'ssh', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-ssh\n<iptables> -A f2b-ssh -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-ssh'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-ssh\n<iptables> -F f2b-ssh\n<iptables> -X f2b-ssh'], ['actionflush', '<iptables> -F f2b-ssh'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-ssh[ \\t]'"], ['actionban', '<iptables> -I f2b-ssh 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-ssh -s <ip> -j <blocktype>'], ['name', 'ssh'], ['port', 'ssh'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'ssh', 'addaction', 'sendmail-whois'], ['multi-set', 'ssh', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] ssh: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail ssh has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] ssh: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail ssh has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] ssh: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against ssh.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['actionunban', 'printf %b "Subject: [Fail2Ban] ssh: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['norestored', True], ['name', 'ssh'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', 'XXXXX@XXXXX'], ['password', 'XXXXX'], ['destination', 'XXXXX@XXXXX'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'nginx-badbots', 'auto'], ['set', 'nginx-badbots', 'usedns', 'warn'], ['set', 'nginx-badbots', 'addfailregex', '^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:Atomic_Email_Hunter/4\\.0|atSpider/1\\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\\.6|ContactBot/0\\.2|ContentSmartz|DataCha0s/2\\.0|DBrowse 1\\.4b|DBrowse 1\\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\\.0\\.x|ISC Systems iRc Search 2\\.1|IUPUI Research Bot v 1\\.9a|LARBIN-EXPERIMENTAL \\(efp@gmx\\.net\\)|LetsCrawl\\.com/1\\.0 \\+http\\://letscrawl\\.com/|Lincoln State Web Browser|LMQueueBot/0\\.2|LWP\\:\\:Simple/5\\.803|Mac Finder 1\\.0\\.xx|MFC Foundation Class Library 4\\.0|Microsoft URL Control - 6\\.00\\.8xxx|Missauga Locate 1\\.0\\.0|Missigua Locator 1\\.9|Missouri College Browse|Mizzu Labs 2\\.2|Mo College 1\\.9|MVAClient|Mozilla/2\\.0 \\(compatible; NEWT ActiveX; Win32\\)|Mozilla/3\\.0 \\(compatible; Indy Library\\)|Mozilla/3\\.0 \\(compatible; scan4mail \\(advanced version\\) http\\://www\\.peterspages\\.net/?scan4mail\\)|Mozilla/4\\.0 \\(compatible; Advanced Email Extractor v2\\.xx\\)|Mozilla/4\\.0 \\(compatible; Iplexx Spider/1\\.0 http\\://www\\.iplexx\\.at\\)|Mozilla/4\\.0 \\(compatible; MSIE 5\\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\\.0 efp@gmx\\.net|Mozilla/5\\.0 \\(Version\\: xxxx Type\\:xx\\)|NameOfAgent \\(CMS Spider\\)|NASA Search 1\\.0|Nsauditor/1\\.x|PBrowse 1\\.4b|PEval 1\\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\\.0\\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\\.com|ShablastBot 1\\.0|snap\\.com beta crawler v0|Snapbot/1\\.0|Snapbot/1\\.0 \\(Snap Shots&#44; \\+http\\://www\\.snap\\.com\\)|sogou develop spider|Sogou Orion spider/3\\.0\\(\\+http\\://www\\.sogou\\.com/docs/help/webmasters\\.htm#07\\)|sogou spider|Sogou web spider/3\\.0\\(\\+http\\://www\\.sogou\\.com/docs/help/webmasters\\.htm#07\\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\\.2|User-Agent\\: Mozilla/4\\.0 \\(compatible; MSIE 6\\.0; Windows NT 5\\.1\\)|VadixBot|WebVulnCrawl\\.unknown/1\\.0 libwww-perl/5\\.803|Wells Search II|WEP Search 00|EmailCollector|WebEMailExtrac|TrackBack/1\\.02|sogou music spider)"$'], ['set', 'nginx-badbots', 'maxretry', 2], ['set', 'nginx-badbots', 'maxmatches', 2], ['set', 'nginx-badbots', 'findtime', '600'], ['set', 'nginx-badbots', 'bantime', '600'], ['set', 'nginx-badbots', 'ignorecommand', ''], ['set', 'nginx-badbots', 'logencoding', 'auto'], ['set', 'nginx-badbots', 'addlogpath', '/config/log/nginx/access.log', 'head'], ['set', 'nginx-badbots', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-badbots', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-badbots\n<iptables> -A f2b-nginx-badbots -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-badbots'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-badbots\n<iptables> -F f2b-nginx-badbots\n<iptables> -X f2b-nginx-badbots'], ['actionflush', '<iptables> -F f2b-nginx-badbots'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-badbots[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-badbots 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-badbots -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'nginx-badbots'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-badbots', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-badbots', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-badbots\n<iptables> -A f2b-nginx-badbots -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-badbots'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-badbots\n<iptables> -F f2b-nginx-badbots\n<iptables> -X f2b-nginx-badbots'], ['actionflush', '<iptables> -F f2b-nginx-badbots'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-badbots[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-badbots 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-badbots -s <ip> -j <blocktype>'], ['name', 'nginx-badbots'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-badbots', 'addaction', 'sendmail-whois'], ['multi-set', 'nginx-badbots', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] nginx-badbots: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-badbots has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] nginx-badbots: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-badbots has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] nginx-badbots: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against nginx-badbots.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['actionunban', 'printf %b "Subject: [Fail2Ban] nginx-badbots: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['norestored', True], ['name', 'nginx-badbots'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', 'XXXXX@XXXXX'], ['password', 'XXXXX'], ['destination', 'XXXXX@XXXXX'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'nginx-deny', 'auto'], ['set', 'nginx-deny', 'usedns', 'warn'], ['set', 'nginx-deny', 'addfailregex', '^ \\[error\\] \\d+#\\d+: \\*\\d+ (access forbidden by rule), client: <HOST>, server: \\S*, request: "\\S+ \\S+ HTTP\\/\\d+\\.\\d+", host: "\\S+"(?:, referrer: "\\S+")?\\s*$'], ['set', 'nginx-deny', 'datepattern', '{^LN-BEG}'], ['set', 'nginx-deny', 'maxretry', 5], ['set', 'nginx-deny', 'maxmatches', 5], ['set', 'nginx-deny', 'findtime', '600'], ['set', 'nginx-deny', 'bantime', '600'], ['set', 'nginx-deny', 'ignorecommand', ''], ['set', 'nginx-deny', 'logencoding', 'auto'], ['set', 'nginx-deny', 'addlogpath', '/config/log/nginx/error.log', 'head'], ['set', 'nginx-deny', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-deny', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-deny\n<iptables> -A f2b-nginx-deny -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-deny'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-deny\n<iptables> -F f2b-nginx-deny\n<iptables> -X f2b-nginx-deny'], ['actionflush', '<iptables> -F f2b-nginx-deny'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-deny[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-deny 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-deny -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'nginx-deny'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-deny', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-deny', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-deny\n<iptables> -A f2b-nginx-deny -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-deny'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-deny\n<iptables> -F f2b-nginx-deny\n<iptables> -X f2b-nginx-deny'], ['actionflush', '<iptables> -F f2b-nginx-deny'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-deny[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-deny 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-deny -s <ip> -j <blocktype>'], ['name', 'nginx-deny'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-deny', 'addaction', 'sendmail-whois'], ['multi-set', 'nginx-deny', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] nginx-deny: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-deny has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] nginx-deny: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-deny has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] nginx-deny: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against nginx-deny.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['actionunban', 'printf %b "Subject: [Fail2Ban] nginx-deny: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['norestored', True], ['name', 'nginx-deny'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', 'XXXXX@XXXXX'], ['password', 'XXXXX'], ['destination', 'XXXXX@XXXXX'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'bitwardenrs', 'auto'], ['set', 'bitwardenrs', 'usedns', 'warn'], ['set', 'bitwardenrs', 'addfailregex', 'Username or password is incorrect\\. Try again\\. IP: <HOST>\\. Username: .*\\.$'], ['set', 'bitwardenrs', 'maxretry', 3], ['set', 'bitwardenrs', 'maxmatches', 3], ['set', 'bitwardenrs', 'findtime', '14400'], ['set', 'bitwardenrs', 'bantime', '14400'], ['set', 'bitwardenrs', 'ignorecommand', ''], ['set', 'bitwardenrs', 'logencoding', 'auto'], ['set', 'bitwardenrs', 'addlogpath', '/bitwarden/bitwarden.log', 'head'], ['set', 'bitwardenrs', 'addaction', 'iptables-allports'], ['multi-set', 'bitwardenrs', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-bitwardenrs\n<iptables> -A f2b-bitwardenrs -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-bitwardenrs'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-bitwardenrs\n<iptables> -F f2b-bitwardenrs\n<iptables> -X f2b-bitwardenrs'], ['actionflush', '<iptables> -F f2b-bitwardenrs'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-bitwardenrs[ \\t]'"], ['actionban', '<iptables> -I f2b-bitwardenrs 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-bitwardenrs -s <ip> -j <blocktype>'], ['name', 'bitwardenrs'], ['actname', 'iptables-allports'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['start', 'nginx-http-auth'], ['start', 'nginx-botsearch'], ['start', 'ssh'], ['start', 'nginx-badbots'], ['start', 'nginx-deny'], ['start', 'bitwardenrs']]] has failed. Received ValueError('Action iptables-allports already exists')

2020-09-21 14:53:17,501 fail2ban                [392]: ERROR   NOK: ('Action iptables-allports already exists',)

 

I just assumed that all that related to the "email notification" conf files that I have yet to complete. 

Share this post


Link to post

Test the failregex on the command line

fail2ban-regex /bitwarden/bitwarden.log /config/fail2ban/filter.d/bitwardenrs.local

 

Share this post


Link to post
4 minutes ago, Roxedus said:

Test the failregex on the command line


fail2ban-regex /bitwarden/bitwarden.log /config/fail2ban/filter.d/bitwardenrs.local

 

That command returns;

 

 

20200921_161538.jpg

Share this post


Link to post
9 minutes ago, Roxedus said:

So the regex is working, the only thing is that f2b doesn't start

Excellent. 👍

 

I have also just reverted all files in my action.d folder to defaults. Checking the fail2ban logs again, the same error is still showing, which includes reference to my email and password, and so is it possible the error is linked to the below entry in my jail.local file;

Quote

[DEFAULT]

action = iptables-allports
                %(action_mw)s[from=XXXXX@XXXXX.XXX, password=XXXXX, destination=XXXXX@XXXXX.XXX, sendername=Fail2Ban]

 

Share this post


Link to post

You can delete the default action, of you define it in your jails, yes

 

Share this post


Link to post
9 minutes ago, Roxedus said:

You can delete the default action, of you define it in your jails, yes

 

Unfortunately I'm still at a loss. I removed that line, same error. 

 

It's times like this that the monitor is close to being thrown out of the window. 😁

Share this post


Link to post

@Roxedus Good news, my trouble stems from the jails themselves. I disabled all of them except for Bitwarden and it is working/banning as expected. I'll just need to go through the other jails one by one to determine which one is the culprit then tackle that.

 

Thanks for your help! 

Share this post


Link to post
On 8/18/2020 at 12:37 AM, carltonb said:

I have no clue if this is the correct area to post this but I need some help with Bitwardenrs.

I have it installed for the last 3 months and is working well. Got all my family tied into it so we are all happy.

Now my problem comes with using 2FA. I use a YubiKey for 90% of all my 2FA, but it seems that it does not play nice with Bitwardenrs.

It will not recognize certain aspects odf the YubiKey, like otp. And as well it it gives me time sync errors.

I did find a piece of docker code they said that needs to be installed but I do not know how to do it on unRaid.


docker run -d --name bitwarden \
  -e YUBICO_CLIENT_ID=12345 \
  -e YUBICO_SECRET_KEY=ABCDEABCDEABCDEABCDE= \
  -v /bw-data/:/data/ \
  -p 80:80 \
  bitwardenrs/server:latest

Can anyone shed some light on this for me.

Thanks so much

@carltonb I have just got this working. You need to:

  • Follow the instructions at this link to get values for YUBICO_CLIENT_ID and YUBICO_SECRET_KEY.
  • In UNRAID - open the settings for the bitwardenrs Docker container
  • At the bottom click on "Add another Path, Port, Variable, Label or Device"
  • Set Config Type = Variable, Name = YUBICO_CLIENT_ID, Key = YUBICO_CLIENT_ID, Value = <Your Yubico Client ID>
  • Click Add
  • Add another variable as above for YUBICO_SECRET_KEY
  • Click APPLY to restart the Docker container

That should be it - now you can configure the Yubikey in the Bitwarden Settings.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.