[support] Vaultwarden (formerly Bitwarden_rs)


Recommended Posts

Vaultwarden is a unofficial Bitwarden compatible server written in Rust

Templated by Selfhosters, used by many. 

Featured in this video by @SpaceInvaderOne

FAQ:
Q: I get ` An error has occurred. Cannot read property 'importKey' of null` when trying to login.
A: This is expected when trying to login over HTTP, especially in Chrome. This is a security measure by the browser, not a bug. 

Edited by Roxedus
  • Like 2
Link to comment
15 hours ago, dschrade said:

ACCESS_TOKEN is not showing up in config cannot access admin page

If you have updated the ACCESS_TOKEN since you updated the docker. Just use the old password or changed the config file for bitwarden and place the new password and your in. The location should be /mnt/cache/appdata/bitwarden/config.json. Use nano or vi to edit the file.

Edited by Tucubanito07
Link to comment

Hello,

I've two question.

1) I've already setup an instance of BW, now I was trying to add a second one and I get following error:

CreateXML: XML file was missing

2) Why is mandatory to have an ACCESS_TOKEN?
I mean obviously you need one WHEN you need to access the admin console, but when you don't need it - you could just avoid to have an access_token and an admin page.

 

Thanks 🙂

Link to comment
3 hours ago, TDA said:

Why is mandatory to have an ACCESS_TOKEN

It's not really. However the container wont run if its blank and marking it as required forces the user to fill it, and I agree with the method SpaceInvader showed in his video to create the user. Using the admin page works independently of allowing signups.

 

3 hours ago, TDA said:

CreateXML: XML file was missing

Does your original container use the mpbrasil repository?

Link to comment
6 hours ago, Roxedus said:

It's not really. However the container wont run if its blank and marking it as required forces the user to fill it, and I agree with the method SpaceInvader showed in his video to create the user. Using the admin page works independently of allowing signups.

I know it wont run since is mandatory.
My question is why? Since the old mpbrasil container didn't need it to start - and neither BW need it (mandatory).

Isn't possible to modify the template and set the entry NOT_MANDATORY?

Since isn't really needed for BW itself.

6 hours ago, Roxedus said:

Does your original container use the mpbrasil repository?

I migrated from mprasil to this - maybe I forgot something?

Link to comment
33 minutes ago, TDA said:

Isn't possible to modify the template and set the entry NOT_MANDATORY?

Yes. But the variable gets set, with the value of NULL, which makes the container shutdown. I wont remove it because I feel like its the best way to get started, even though you don't need to do it this way.
 

37 minutes ago, TDA said:

I migrated from mprasil to this - maybe I forgot something?

Depending on how you tried to add the second one, it may have tried to use the template from @cheesemarathon

Link to comment
45 minutes ago, Roxedus said:

Yes. But the variable gets set, with the value of NULL, which makes the container shutdown. I wont remove it because I feel like its the best way to get started, even though you don't need to do it this way.

Hmm.. maybe is the best way to get started, but what is with the users who don't want it?
When not needed, is always better to have an admin access disabled when accessible from the Internet (even if it's a base64 pwd).
So there is no way to use this container without the ADMIN_TOKEN ?

46 minutes ago, Roxedus said:

Depending on how you tried to add the second one, it may have tried to use the template from @cheesemarathon

I simply tried to add it through the CommunityApp.

Link to comment
1 minute ago, TDA said:

So there is no way to use this container without the ADMIN_TOKEN

I just spotted a change which came live after my initial research, I will research this some more. 

 

 

5 minutes ago, TDA said:

CommunityApp

I just did this on my VM, and it worked fine. 

Link to comment

This docker is not secure as is for outside access.  Digging around so far I found that logging was not enabled so I enabled it on the template under advanced, then extra parameters

-e LOG_FILE=/data/bitwarden.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true

and now it logs into the /data/bitwarden.log file.

Now I cant execute fail2ban so maybe its not installed either because its not where the link you send shows it to be.

I am not that familiar with docker honestly so I wouldnt know where to begin with that.

 

I love this app and thanks for getting it for us :)

worst case scenario I can have it log to  letsencrypt and configure a jail for it in there.

Edited by kilobit
  • Like 1
  • Thanks 1
Link to comment
On 2/4/2020 at 8:28 PM, Roxedus said:

Does your original container use the mpbrasil repository?

I actually think that these guys have an extension in their browser that's interfering.    So far as I can tell (until someone gives me the data file I've requested in the CA thread), what they're describing is impossible.

Link to comment
26 minutes ago, kilobit said:

Now I cant execute fail2ban

You run fail2ban on your reverse proxy. linuxserver/letsencrypt has fail2ban. 
Although this guide is for organizr and letsencrypt, the concept of mapping the file and configuring f2b is the same.
This is the only variable i added `-e 'LOG_FILE'='/data/bitwarden.log'`

 

31 minutes ago, kilobit said:

worst case scenario I can have it log to  letsencrypt

This is imho the preferred way. 

Link to comment
1 hour ago, ijuarez said:

Good luck to you guys that exploring the docker for the rest of us.  Lawrence also did a video but using a vm not docker youtube video 

 

For me I just paid the 12 bucks annually and got a family plan, yes it has some limits but for saving my passwords it works. 

Its not the money for me but the security.  To be honest they maybe have an even better setup than we can offer but every day something is getting breached. 

Link to comment
44 minutes ago, kilobit said:

I got fail2ban installed but my regex is terrible and the default one isnt working for some reason and its not seeing the log.

I had to apt-get update and apt-get install fail2ban.  Then I removed the jails in the default conf that was causing a problem.  Followed this link https://github.com/dani-garcia/bitwarden_rs/wiki/Fail2Ban-Setup and I have ran out of time today.

The one from their wiki works perfectly for me. mounting the logs from the bitwarden container to the letsencrypt container. f2b is doing both iptables and firewall actions on triggers

Link to comment

Ok, here is everything you need to do to get this working.

 

First edit bitwarden container then click on "advanced"
 

Extra Parameters:    

 -e LOG_FILE=/log/bitwarden.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true

Then add path:
container path: /log
host path: /mnt/user/syslog (unraid share you want bitwarden to log to)
access mode: read/write

#apply/done

 

Next edit letsencrypt container

then add path:
container path: /log
host path: /mnt/user/syslog (unraid share you want bitwarden to log to)
access mode: read/write
#apply/done

 

Now edit ../appdata/letsencrypt/fail2ban/jail.local
* at the BOTTOM of the file add:

[bitwarden]
enabled = true
port = http,https
filter = bitwarden
action = iptables-allports[name=bitwarden]
logpath = /log/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400

#save/close


Then create and edit ../appdata/letsencrypt/fail2ban/filter.d/bitwarden.conf and add:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

#save and close

#restart letsencrypt container

 

***Testing
Use your phone or something outside your lan and once you fail 3 logins you will be banned.

 

To show banned ips and unban enter the letsencrypt console from the docker window.
Lists banned ips:     iptables -n -L --line-numbers

Unbans ip:     fail2ban-client set bitwarden unbanip 107.224.235.134
exit

-End

Edited by kilobit
  • Like 2
  • Thanks 2
Link to comment
  • Roxedus changed the title to [support] Vaultwarden (formerly Bitwarden_rs)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.