Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[support] Vaultwarden (formerly Bitwarden_rs)

Featured Replies

  • Author
1 hour ago, Konfitüre said:

where can I find the bwdata folder?

The bwdata is the appdata folder. 

  • Replies 734
  • Views 277.4k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • I added the following to my reverse proxy for the admin panel   location /admin { return 404; } I only access the panel locally using the direct ip.

  • New repository is: vaultwarden/server:latest Change it in docker settings: Stop the container Rename repository to vaultwarden/server Hit Apply and start the container

  • log showing [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure. Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`. See: https://github.com/dani-gar

Posted Images

I've had this set up for a few months and love it.  

 

However, I can't seem to access the admin page.  If I replace the "Admin Token" with a new one in the docker config, and subsequently enter that value into the Admin page password, I get an Invalid Token error.

 

Am I missing something obvious?

On 4/22/2020 at 11:11 PM, Roxedus said:

I added the following to my reverse proxy for the admin panel
 


	location /admin {
		return 404;
	}

I only access the panel locally using the direct ip.

Worked like a charm, thanks! 

On 4/22/2020 at 10:11 PM, Roxedus said:

I added the following to my reverse proxy for the admin panel
 


	location /admin {
		return 404;
	}

I only access the panel locally using the direct ip.

This works perfectly. very nice.  Using the letsencrypt docker. ip/admin works sub/domain/admin error

 

normally im only using the IP because its internal only.  But the web vault stopped working needed the https. That is only possible with the certificate.

 

which makes the letsencrypt docker easy. I use the DNS plugin there. So only adding the bitwarden. subdomain and done it works. (When added to the DNS of the domain)

On 4/18/2020 at 3:54 PM, rilles said:

So I watch space invaders video and a few others and my head was exploding in anger and frustration.  I don't want to expose this to the internet, I don't want a domain and I don't need a real cert, waaay too much fiddling.

 

So scraped the bitwarden_rs docker site and they have a few easier suggestions - the one I used was Caddy 1.x (also a unraid docker)

 

https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples

 

you can't use localhost so make sure you enter your server IP address, and I enabled "tls self_signed"

 

works fine for me now on all browsers.

 

i want the same thing you have. Also i already have a domain. setting it up was very easy but that beside the point.  I have it currently open to the interwebs Except for the /admin that is not avail via web only via Lan.

 

Looking at fail2ban which is included in the letsencrypt docker if i can make that very ban happy.

I have no clue if this is the correct area to post this but I need some help with Bitwardenrs.

I have it installed for the last 3 months and is working well. Got all my family tied into it so we are all happy.

Now my problem comes with using 2FA. I use a YubiKey for 90% of all my 2FA, but it seems that it does not play nice with Bitwardenrs.

It will not recognize certain aspects odf the YubiKey, like otp. And as well it it gives me time sync errors.

I did find a piece of docker code they said that needs to be installed but I do not know how to do it on unRaid.

docker run -d --name bitwarden \
  -e YUBICO_CLIENT_ID=12345 \
  -e YUBICO_SECRET_KEY=ABCDEABCDEABCDEABCDE= \
  -v /bw-data/:/data/ \
  -p 80:80 \
  bitwardenrs/server:latest

Can anyone shed some light on this for me.

Thanks so much

Edited by carltonb

  • 4 weeks later...

He Guys,

 

I was wondering if somebody could give me a hand to get this HTTPS working. I would like to try Bitwarden locally only because I don't like the idea of my password manager accessible from the internet with a reverse proxy like in the video of Spaceinvader one.

 

I tried a lot of things but I just cannot get it to work. I tried installing Caddy, Nginx Proxy Manger etc but no go. I would appreciate any help. I have Nextcloud up and running as per Spaceinvader one's video. So Let's Encrypt is working. I recently changed the repo to "swag" though. As the other repo was depreciated due to copyright issues if I understand it correctly.

 

Side question: nobody here has any trouble with your password manager accessible from the internet? I mean (correct me if I am wrong) everybody who has the address can (try) to access you vault right? Sure there is the log in but somehow it feels less secure than an instance like openVPN or Wireguard. What are you're thoughts?

 

gr Piet

He Guys,

 

I was wondering if somebody could give me a hand to get this HTTPS working. I would like to try Bitwarden locally only because I don't like the idea of my password manager accessible from the internet with a reverse proxy like in the video of Spaceinvader one.

 

I tried a lot of things but I just cannot get it to work. I tried installing Caddy, Nginx Proxy Manger etc but no go. I would appreciate any help. I have Nextcloud up and running as per Spaceinvader one's video. So Let's Encrypt is working. I recently changed the repo to "swag" though. As the other repo was depreciated due to copyright issues if I understand it correctly.

 

Side question: nobody here has any trouble with your password manager accessible from the internet? I mean (correct me if I am wrong) everybody who has the address can (try) to access you vault right? Sure there is the log in but somehow it feels less secure than an instance like openVPN or Wireguard. What are you're thoughts?

 

gr Piet

I use 2FA and email setup for failed logins. I feel safe. Also there maybe Fail2ban built in

 

Sent from my Pixel 4 XL using Tapatalk

 

 

 

  • 2 weeks later...
On 9/9/2020 at 8:53 AM, poeterdebier said:

 

Side question: nobody here has any trouble with your password manager accessible from the internet? I mean (correct me if I am wrong) everybody who has the address can (try) to access you vault right? Sure there is the log in but somehow it feels less secure than an instance like openVPN or Wireguard. What are you're thoughts?

 

gr Piet

I have a few dockers open to the net, but i set a firewall rule on my router to only accept specific port requests from one IP which is my VPN IP. That way only i can access it, as the VPN is run by myself.

Hi, 

 

I'm hoping someone could give me some specific advice regarding Bitwarden and Fail2ban? 

 

I've spent over a week getting SWAG & Fail2ban setup, and the nice folks over on the SWAG thread have helped me out a great deal. My problem now however is bitwarden specific. 

 

I have added the extra parameters; "-e LOG_FILE=/data/bitwarden.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true" to the bitwarden container and mapped SWAG to the newly created bitwarden log file. I have updated both "bitwarden.subdomain.conf" and "jail.local" however if I access my bitwarden page remotely and make several invalid login attempts, nothing happens, I'm allowed to keep continuing. 

 

Looking in the bitwarden log, it correctly lists all the login attempts. Looking in the fail2ban log however and there does not appear to be any mention of the login attempts. 

 

Since setting up SWAG and Fail2ban, this is the first program I've tried linking and so I've got no other to compare with. 

 

I have included below cut and pastes of the two mentioned files above along with my bitwarden.subdomain.conf in the hopes that someone can help. 

 

Many thanks. 

 

jail.local (email, password and destination redacted)

Quote

## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container

[DEFAULT]

action = iptables-allports
                %(action_mw)s[[email protected], password=XXXXX, [email protected], sendername=Fail2Ban]

# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
banaction = iptables-allports

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /config/log/nginx/error.log
maxretry = 6


[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
ignoreip = 192.168.1.0/24


[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /config/log/nginx/access.log
maxretry = 2


[nginx-botsearch]

enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /config/log/nginx/access.log

[nginx-deny]

enabled  = true
port     = http,https
filter   = nginx-deny
logpath  = /config/log/nginx/error.log

 

[bitwardenrs]

enabled = true
port = http,https
filter = bitwardenrs
action = iptables-allports[name=bitwardenrs]
logpath = /bitwarden/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400

 

bitwardenrs.local

Quote

# Fail2Ban filter for Bitwarden
# Detecting failed login attempts
# Logged in bwdata/logs/identity/Identity/log.txt

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

 

bitwarden.subdomain.conf

Quote

# make sure that your dns has a cname set for bitwarden and that your bitwarden container is not using a base url
# make sure your bitwarden container is named "bitwarden"
# set the environment variable WEBSOCKET_ENABLED=true on your bitwarden container

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bitwarden.*;

    include /config/nginx/ssl.conf;

#COUNTRY GEO BLOCK
    if ($allowed_country = no) {
    return 444;
    }

    client_max_body_size 128M;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /admin {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 3012;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub/negotiate {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwardenrs;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Edited by LoneTraveler

  • Author
1 minute ago, LoneTraveler said:

Fail2ban setup

The bitwarden filter that comes with fail2ban is not for bitwarden_rs. You need to create a new file, and use the correct failregex. This is the filter I use. As noted you have to call it something else than bitwarden.conf, i called it bitwarden_rs.conf

8 minutes ago, Roxedus said:

The bitwarden filter that comes with fail2ban is not for bitwarden_rs. You need to create a new file, and use the correct failregex. This is the filter I use. As noted you have to call it something else than bitwarden.conf, i called it bitwarden_rs.conf

Hi, 

 

Wow, that was a quick reply, thanks. 

 

I've updated my bitwardenrs.local file as imaged below, using the template you provided, however after restarting Fail2ban I am unfortunately still able to make repeated login attempts.

 

 

20200921_145554.jpg

1 minute ago, Roxedus said:

What does your jail look like?

 

jail.local

Quote

## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container

 

[DEFAULT]

 

action = iptables-allports
                %(action_mw)s[[email protected], password=XXXXX, [email protected], sendername=Fail2Ban]

 

# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".

banaction = iptables-allports

 

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

 

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

 

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /config/log/nginx/error.log
maxretry = 6


[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
ignoreip = 192.168.1.0/24


[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /config/log/nginx/access.log
maxretry = 2


[nginx-botsearch]

enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /config/log/nginx/access.log

 

[nginx-deny]

enabled  = true
port     = http,https
filter   = nginx-deny
logpath  = /config/log/nginx/error.log

 

[bitwardenrs]

enabled = true
port = http,https
filter = bitwardenrs
action = iptables-allports[name=bitwardenrs]
logpath = /bitwarden/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400

 

I'm uncertain if it helps, but in the fail2ban log, it shows an error of;

Quote

2020-09-21 14:53:17,501 fail2ban                [392]: ERROR   NOK: ('Action iptables-allports already exists',)

I don't know if that has anything to do with Bitwarden or not? 

  • Author

Ok, that logline indicates that f2b doesnt start afaik. I dont have any default banaction, but i imagine defining the same action twice isnt optimal

Looking at my fail2ban log in full since it's last restart reports this;

 

Quote

2020-09-21 14:53:17,422 fail2ban.server         [392]: INFO    Starting Fail2ban v0.11.1

2020-09-21 14:53:17,423 fail2ban.observer       [392]: INFO    Observer start...

2020-09-21 14:53:17,474 fail2ban.database       [392]: INFO    Connected to fail2ban persistent database '/config/fail2ban/fail2ban.sqlite3'

2020-09-21 14:53:17,477 fail2ban.jail           [392]: INFO    Creating new jail 'nginx-http-auth'

2020-09-21 14:53:17,482 fail2ban.jail           [392]: INFO    Jail 'nginx-http-auth' uses poller {}

2020-09-21 14:53:17,482 fail2ban.jail           [392]: INFO    Initiated 'polling' backend

2020-09-21 14:53:17,494 fail2ban.filter         [392]: INFO      maxRetry: 5

2020-09-21 14:53:17,494 fail2ban.filter         [392]: INFO      findtime: 600

2020-09-21 14:53:17,494 fail2ban.actions        [392]: INFO      banTime: 600

2020-09-21 14:53:17,495 fail2ban.filter         [392]: INFO      encoding: UTF-8

2020-09-21 14:53:17,498 fail2ban.filter         [392]: INFO    Added logfile: '/config/log/nginx/error.log' (pos = 0, hash = 47f858d36526d1ef0a7f76c716c9701d41b5a948)

2020-09-21 14:53:17,499 fail2ban.transmitter    [392]: WARNING Command ['server-stream', [['set', 'syslogsocket', 'auto'], ['set', 'loglevel', 'INFO'], ['set', 'logtarget', '/config/log/fail2ban/fail2ban.log'], ['set', 'dbfile', '/config/fail2ban/fail2ban.sqlite3'], ['set', 'dbmaxmatches', 10], ['set', 'dbpurgeage', '1d'], ['add', 'nginx-http-auth', 'auto'], ['set', 'nginx-http-auth', 'usedns', 'warn'], ['set', 'nginx-http-auth', 'addfailregex', '^ \\[error\\] \\d+#\\d+: \\*\\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\\"]*"), client: <HOST>, server: \\S*, request: "\\S+ \\S+ HTTP/\\d+\\.\\d+", host: "\\S+"(?:, referrer: "\\S+")?\\s*$'], ['set', 'nginx-http-auth', 'datepattern', '{^LN-BEG}'], ['set', 'nginx-http-auth', 'maxretry', 5], ['set', 'nginx-http-auth', 'maxmatches', 5], ['set', 'nginx-http-auth', 'findtime', '600'], ['set', 'nginx-http-auth', 'bantime', '600'], ['set', 'nginx-http-auth', 'ignorecommand', ''], ['set', 'nginx-http-auth', 'addignoreip', '192.168.1.0/24'], ['set', 'nginx-http-auth', 'logencoding', 'auto'], ['set', 'nginx-http-auth', 'addlogpath', '/config/log/nginx/error.log', 'head'], ['set', 'nginx-http-auth', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-http-auth', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-http-auth\n<iptables> -A f2b-nginx-http-auth -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-http-auth'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-http-auth\n<iptables> -F f2b-nginx-http-auth\n<iptables> -X f2b-nginx-http-auth'], ['actionflush', '<iptables> -F f2b-nginx-http-auth'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-http-auth[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-http-auth 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-http-auth -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'nginx-http-auth'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-http-auth', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-http-auth', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-http-auth\n<iptables> -A f2b-nginx-http-auth -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-http-auth'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-http-auth\n<iptables> -F f2b-nginx-http-auth\n<iptables> -X f2b-nginx-http-auth'], ['actionflush', '<iptables> -F f2b-nginx-http-auth'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-http-auth[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-http-auth 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-http-auth -s <ip> -j <blocktype>'], ['name', 'nginx-http-auth'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-http-auth', 'addaction', 'sendmail-whois'], ['multi-set', 'nginx-http-auth', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] nginx-http-auth: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-http-auth has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] nginx-http-auth: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-http-auth has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] nginx-http-auth: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: [email protected]\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against nginx-http-auth.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' [email protected] -apXXXXX [email protected]'], ['actionunban', 'printf %b "Subject: [Fail2Ban] nginx-http-auth: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: [email protected]\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' [email protected] -apXXXXX [email protected]'], ['norestored', True], ['name', 'nginx-http-auth'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', '[email protected]'], ['password', 'XXXXX'], ['destination', '[email protected]'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'nginx-botsearch', 'auto'], ['set', 'nginx-botsearch', 'usedns', 'warn'], ['multi-set', 'nginx-botsearch', 'addfailregex', ['^<HOST> \\- \\S+ \\[\\] \\"(GET|POST|HEAD) \\/\\/?(roundcube|(ext)?mail|horde|(v-?)?webmail|(typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)|wp-(login|signup|admin)\\.php|cgi-bin|mysqladmin)[^,]* \\S+\\" 404 .+$', '^ \\[error\\] \\d+#\\d+: \\*\\d+ (\\S+ )?\\"\\S+\\" (failed|is not found) \\(2\\: No such file or directory\\), client\\: <HOST>\\, server\\: \\S*\\, request: \\"(GET|POST|HEAD) \\/\\/?(roundcube|(ext)?mail|horde|(v-?)?webmail|(typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)|wp-(login|signup|admin)\\.php|cgi-bin|mysqladmin)[^,]* \\S+\\"\\, .*?$']], ['set', 'nginx-botsearch', 'datepattern', '{^LN-BEG}%ExY(?P<_sep>[-/.])%m(?P=_sep)%d[T ]%H:%M:%S(?:[.,]%f)?(?:\\s*%z)?\n^[^\\[]*\\[({DATE})\n{^LN-BEG}'], ['set', 'nginx-botsearch', 'maxretry', 2], ['set', 'nginx-botsearch', 'maxmatches', 2], ['set', 'nginx-botsearch', 'findtime', '600'], ['set', 'nginx-botsearch', 'bantime', '600'], ['set', 'nginx-botsearch', 'ignorecommand', ''], ['set', 'nginx-botsearch', 'logencoding', 'auto'], ['set', 'nginx-botsearch', 'addlogpath', '/config/log/nginx/access.log', 'head'], ['set', 'nginx-botsearch', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-botsearch', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-botsearch\n<iptables> -A f2b-nginx-botsearch -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-botsearch'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-botsearch\n<iptables> -F f2b-nginx-botsearch\n<iptables> -X f2b-nginx-botsearch'], ['actionflush', '<iptables> -F f2b-nginx-botsearch'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-botsearch[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-botsearch 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-botsearch -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'nginx-botsearch'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-botsearch', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-botsearch', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-botsearch\n<iptables> -A f2b-nginx-botsearch -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-botsearch'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-botsearch\n<iptables> -F f2b-nginx-botsearch\n<iptables> -X f2b-nginx-botsearch'], ['actionflush', '<iptables> -F f2b-nginx-botsearch'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-botsearch[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-botsearch 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-botsearch -s <ip> -j <blocktype>'], ['name', 'nginx-botsearch'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-botsearch', 'addaction', 'sendmail-whois'], ['multi-set', 'nginx-botsearch', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] nginx-botsearch: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-botsearch has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] nginx-botsearch: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-botsearch has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] nginx-botsearch: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: [email protected]\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against nginx-botsearch.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' [email protected] -apXXXXX XXXXX@XXXXX'], ['actionunban', 'printf %b "Subject: [Fail2Ban] nginx-botsearch: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['norestored', True], ['name', 'nginx-botsearch'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', 'XXXXX@XXXXX'], ['password', 'XXXXX'], ['destination', 'XXXXX@XXXXX'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'ssh', 'auto'], ['set', 'ssh', 'usedns', 'warn'], ['set', 'ssh', 'prefregex', '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'], ['set', 'ssh', 'maxlines', 1], ['multi-set', 'ssh', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^refused connect from \\S+ \\(<HOST>\\)', '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', "^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$", '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:', '^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.+?</F-USER>)? <HOST>(?:(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$', '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)', '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>']], ['set', 'ssh', 'datepattern', '{^LN-BEG}'], ['set', 'ssh', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd'], ['set', 'ssh', 'maxretry', 6], ['set', 'ssh', 'maxmatches', 6], ['set', 'ssh', 'findtime', '600'], ['set', 'ssh', 'bantime', '600'], ['set', 'ssh', 'ignorecommand', ''], ['set', 'ssh', 'logencoding', 'auto'], ['set', 'ssh', 'addlogpath', '/config/log/nginx/error.log', 'head'], ['set', 'ssh', 'addaction', 'iptables-allports'], ['multi-set', 'ssh', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-ssh\n<iptables> -A f2b-ssh -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-ssh'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-ssh\n<iptables> -F f2b-ssh\n<iptables> -X f2b-ssh'], ['actionflush', '<iptables> -F f2b-ssh'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-ssh[ \\t]'"], ['actionban', '<iptables> -I f2b-ssh 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-ssh -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'ssh'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'ssh', 'addaction', 'iptables-allports'], ['multi-set', 'ssh', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-ssh\n<iptables> -A f2b-ssh -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-ssh'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-ssh\n<iptables> -F f2b-ssh\n<iptables> -X f2b-ssh'], ['actionflush', '<iptables> -F f2b-ssh'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-ssh[ \\t]'"], ['actionban', '<iptables> -I f2b-ssh 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-ssh -s <ip> -j <blocktype>'], ['name', 'ssh'], ['port', 'ssh'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'ssh', 'addaction', 'sendmail-whois'], ['multi-set', 'ssh', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] ssh: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail ssh has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] ssh: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail ssh has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] ssh: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against ssh.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['actionunban', 'printf %b "Subject: [Fail2Ban] ssh: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['norestored', True], ['name', 'ssh'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', 'XXXXX@XXXXX'], ['password', 'XXXXX'], ['destination', 'XXXXX@XXXXX'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'nginx-badbots', 'auto'], ['set', 'nginx-badbots', 'usedns', 'warn'], ['set', 'nginx-badbots', 'addfailregex', '^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:Atomic_Email_Hunter/4\\.0|atSpider/1\\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\\.6|ContactBot/0\\.2|ContentSmartz|DataCha0s/2\\.0|DBrowse 1\\.4b|DBrowse 1\\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\\.0\\.x|ISC Systems iRc Search 2\\.1|IUPUI Research Bot v 1\\.9a|LARBIN-EXPERIMENTAL \\(efp@gmx\\.net\\)|LetsCrawl\\.com/1\\.0 \\+http\\://letscrawl\\.com/|Lincoln State Web Browser|LMQueueBot/0\\.2|LWP\\:\\:Simple/5\\.803|Mac Finder 1\\.0\\.xx|MFC Foundation Class Library 4\\.0|Microsoft URL Control - 6\\.00\\.8xxx|Missauga Locate 1\\.0\\.0|Missigua Locator 1\\.9|Missouri College Browse|Mizzu Labs 2\\.2|Mo College 1\\.9|MVAClient|Mozilla/2\\.0 \\(compatible; NEWT ActiveX; Win32\\)|Mozilla/3\\.0 \\(compatible; Indy Library\\)|Mozilla/3\\.0 \\(compatible; scan4mail \\(advanced version\\) http\\://www\\.peterspages\\.net/?scan4mail\\)|Mozilla/4\\.0 \\(compatible; Advanced Email Extractor v2\\.xx\\)|Mozilla/4\\.0 \\(compatible; Iplexx Spider/1\\.0 http\\://www\\.iplexx\\.at\\)|Mozilla/4\\.0 \\(compatible; MSIE 5\\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\\.0 efp@gmx\\.net|Mozilla/5\\.0 \\(Version\\: xxxx Type\\:xx\\)|NameOfAgent \\(CMS Spider\\)|NASA Search 1\\.0|Nsauditor/1\\.x|PBrowse 1\\.4b|PEval 1\\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\\.0\\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\\.com|ShablastBot 1\\.0|snap\\.com beta crawler v0|Snapbot/1\\.0|Snapbot/1\\.0 \\(Snap Shots&#44; \\+http\\://www\\.snap\\.com\\)|sogou develop spider|Sogou Orion spider/3\\.0\\(\\+http\\://www\\.sogou\\.com/docs/help/webmasters\\.htm#07\\)|sogou spider|Sogou web spider/3\\.0\\(\\+http\\://www\\.sogou\\.com/docs/help/webmasters\\.htm#07\\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\\.2|User-Agent\\: Mozilla/4\\.0 \\(compatible; MSIE 6\\.0; Windows NT 5\\.1\\)|VadixBot|WebVulnCrawl\\.unknown/1\\.0 libwww-perl/5\\.803|Wells Search II|WEP Search 00|EmailCollector|WebEMailExtrac|TrackBack/1\\.02|sogou music spider)"$'], ['set', 'nginx-badbots', 'maxretry', 2], ['set', 'nginx-badbots', 'maxmatches', 2], ['set', 'nginx-badbots', 'findtime', '600'], ['set', 'nginx-badbots', 'bantime', '600'], ['set', 'nginx-badbots', 'ignorecommand', ''], ['set', 'nginx-badbots', 'logencoding', 'auto'], ['set', 'nginx-badbots', 'addlogpath', '/config/log/nginx/access.log', 'head'], ['set', 'nginx-badbots', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-badbots', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-badbots\n<iptables> -A f2b-nginx-badbots -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-badbots'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-badbots\n<iptables> -F f2b-nginx-badbots\n<iptables> -X f2b-nginx-badbots'], ['actionflush', '<iptables> -F f2b-nginx-badbots'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-badbots[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-badbots 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-badbots -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'nginx-badbots'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-badbots', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-badbots', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-badbots\n<iptables> -A f2b-nginx-badbots -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-badbots'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-badbots\n<iptables> -F f2b-nginx-badbots\n<iptables> -X f2b-nginx-badbots'], ['actionflush', '<iptables> -F f2b-nginx-badbots'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-badbots[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-badbots 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-badbots -s <ip> -j <blocktype>'], ['name', 'nginx-badbots'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-badbots', 'addaction', 'sendmail-whois'], ['multi-set', 'nginx-badbots', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] nginx-badbots: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-badbots has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] nginx-badbots: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-badbots has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] nginx-badbots: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against nginx-badbots.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['actionunban', 'printf %b "Subject: [Fail2Ban] nginx-badbots: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['norestored', True], ['name', 'nginx-badbots'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', 'XXXXX@XXXXX'], ['password', 'XXXXX'], ['destination', 'XXXXX@XXXXX'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'nginx-deny', 'auto'], ['set', 'nginx-deny', 'usedns', 'warn'], ['set', 'nginx-deny', 'addfailregex', '^ \\[error\\] \\d+#\\d+: \\*\\d+ (access forbidden by rule), client: <HOST>, server: \\S*, request: "\\S+ \\S+ HTTP\\/\\d+\\.\\d+", host: "\\S+"(?:, referrer: "\\S+")?\\s*$'], ['set', 'nginx-deny', 'datepattern', '{^LN-BEG}'], ['set', 'nginx-deny', 'maxretry', 5], ['set', 'nginx-deny', 'maxmatches', 5], ['set', 'nginx-deny', 'findtime', '600'], ['set', 'nginx-deny', 'bantime', '600'], ['set', 'nginx-deny', 'ignorecommand', ''], ['set', 'nginx-deny', 'logencoding', 'auto'], ['set', 'nginx-deny', 'addlogpath', '/config/log/nginx/error.log', 'head'], ['set', 'nginx-deny', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-deny', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-deny\n<iptables> -A f2b-nginx-deny -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-deny'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-deny\n<iptables> -F f2b-nginx-deny\n<iptables> -X f2b-nginx-deny'], ['actionflush', '<iptables> -F f2b-nginx-deny'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-deny[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-deny 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-deny -s <ip> -j <blocktype>'], ['actname', 'iptables-allports'], ['name', 'nginx-deny'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-deny', 'addaction', 'iptables-allports'], ['multi-set', 'nginx-deny', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-nginx-deny\n<iptables> -A f2b-nginx-deny -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-nginx-deny'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-nginx-deny\n<iptables> -F f2b-nginx-deny\n<iptables> -X f2b-nginx-deny'], ['actionflush', '<iptables> -F f2b-nginx-deny'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-nginx-deny[ \\t]'"], ['actionban', '<iptables> -I f2b-nginx-deny 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-nginx-deny -s <ip> -j <blocktype>'], ['name', 'nginx-deny'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-allports'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['set', 'nginx-deny', 'addaction', 'sendmail-whois'], ['multi-set', 'nginx-deny', 'action', 'sendmail-whois', [['actionstart', 'printf %b "Subject: [Fail2Ban] nginx-deny: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-deny has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actionstop', 'printf %b "Subject: [Fail2Ban] nginx-deny: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: root@localhost\\n\nHi,\\n\nThe jail nginx-deny has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@<fq-hostname>" "root@localhost"'], ['actioncheck', ''], ['actionban', 'printf %b "Subject: [Fail2Ban] nginx-deny: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against nginx-deny.\\n\\n\nHere is more information about <ip> :\\n\n`whois <ip> || echo "missing whois program"`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['actionunban', 'printf %b "Subject: [Fail2Ban] nginx-deny: UNBANNED IP <ip> \nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@<fq-hostname>>\nTo: XXXXX@XXXXX\\n\nHi,\\n\nFail2ban has unbanned ip https://db-ip.com/<ip> successfully. \\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -t -v -H \'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465\' -auXXXXX@XXXXX -apXXXXX XXXXX@XXXXX'], ['norestored', True], ['name', 'nginx-deny'], ['sender', 'root@<fq-hostname>'], ['dest', 'root@localhost'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['from', 'XXXXX@XXXXX'], ['password', 'XXXXX'], ['destination', 'XXXXX@XXXXX'], ['sendername', 'Fail2Ban'], ['actname', 'sendmail-whois'], ['mailcmd', '/usr/sbin/sendmail -f "<sender>" "<dest>"']]], ['add', 'bitwardenrs', 'auto'], ['set', 'bitwardenrs', 'usedns', 'warn'], ['set', 'bitwardenrs', 'addfailregex', 'Username or password is incorrect\\. Try again\\. IP: <HOST>\\. Username: .*\\.$'], ['set', 'bitwardenrs', 'maxretry', 3], ['set', 'bitwardenrs', 'maxmatches', 3], ['set', 'bitwardenrs', 'findtime', '14400'], ['set', 'bitwardenrs', 'bantime', '14400'], ['set', 'bitwardenrs', 'ignorecommand', ''], ['set', 'bitwardenrs', 'logencoding', 'auto'], ['set', 'bitwardenrs', 'addlogpath', '/bitwarden/bitwarden.log', 'head'], ['set', 'bitwardenrs', 'addaction', 'iptables-allports'], ['multi-set', 'bitwardenrs', 'action', 'iptables-allports', [['actionstart', '<iptables> -N f2b-bitwardenrs\n<iptables> -A f2b-bitwardenrs -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-bitwardenrs'], ['actionstop', '<iptables> -D INPUT -p tcp -j f2b-bitwardenrs\n<iptables> -F f2b-bitwardenrs\n<iptables> -X f2b-bitwardenrs'], ['actionflush', '<iptables> -F f2b-bitwardenrs'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-bitwardenrs[ \\t]'"], ['actionban', '<iptables> -I f2b-bitwardenrs 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-bitwardenrs -s <ip> -j <blocktype>'], ['name', 'bitwardenrs'], ['actname', 'iptables-allports'], ['chain', 'INPUT'], ['port', 'ssh'], ['protocol', 'tcp'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['start', 'nginx-http-auth'], ['start', 'nginx-botsearch'], ['start', 'ssh'], ['start', 'nginx-badbots'], ['start', 'nginx-deny'], ['start', 'bitwardenrs']]] has failed. Received ValueError('Action iptables-allports already exists')

2020-09-21 14:53:17,501 fail2ban                [392]: ERROR   NOK: ('Action iptables-allports already exists',)

 

I just assumed that all that related to the "email notification" conf files that I have yet to complete. 

  • Author

Test the failregex on the command line

fail2ban-regex /bitwarden/bitwarden.log /config/fail2ban/filter.d/bitwardenrs.local

 

4 minutes ago, Roxedus said:

Test the failregex on the command line


fail2ban-regex /bitwarden/bitwarden.log /config/fail2ban/filter.d/bitwardenrs.local

 

That command returns;

 

 

20200921_161538.jpg

  • Author

So the regex is working, the only thing is that f2b doesn't start

9 minutes ago, Roxedus said:

So the regex is working, the only thing is that f2b doesn't start

Excellent. 👍

 

I have also just reverted all files in my action.d folder to defaults. Checking the fail2ban logs again, the same error is still showing, which includes reference to my email and password, and so is it possible the error is linked to the below entry in my jail.local file;

Quote

[DEFAULT]

action = iptables-allports
                %(action_mw)s[[email protected], password=XXXXX, [email protected], sendername=Fail2Ban]

 

  • Author

You can delete the default action, of you define it in your jails, yes

 

9 minutes ago, Roxedus said:

You can delete the default action, of you define it in your jails, yes

 

Unfortunately I'm still at a loss. I removed that line, same error. 

 

It's times like this that the monitor is close to being thrown out of the window. 😁

@Roxedus Good news, my trouble stems from the jails themselves. I disabled all of them except for Bitwarden and it is working/banning as expected. I'll just need to go through the other jails one by one to determine which one is the culprit then tackle that.

 

Thanks for your help! 

On 8/18/2020 at 12:37 AM, carltonb said:

I have no clue if this is the correct area to post this but I need some help with Bitwardenrs.

I have it installed for the last 3 months and is working well. Got all my family tied into it so we are all happy.

Now my problem comes with using 2FA. I use a YubiKey for 90% of all my 2FA, but it seems that it does not play nice with Bitwardenrs.

It will not recognize certain aspects odf the YubiKey, like otp. And as well it it gives me time sync errors.

I did find a piece of docker code they said that needs to be installed but I do not know how to do it on unRaid.


docker run -d --name bitwarden \
  -e YUBICO_CLIENT_ID=12345 \
  -e YUBICO_SECRET_KEY=ABCDEABCDEABCDEABCDE= \
  -v /bw-data/:/data/ \
  -p 80:80 \
  bitwardenrs/server:latest

Can anyone shed some light on this for me.

Thanks so much

@carltonb I have just got this working. You need to:

  • Follow the instructions at this link to get values for YUBICO_CLIENT_ID and YUBICO_SECRET_KEY.
  • In UNRAID - open the settings for the bitwardenrs Docker container
  • At the bottom click on "Add another Path, Port, Variable, Label or Device"
  • Set Config Type = Variable, Name = YUBICO_CLIENT_ID, Key = YUBICO_CLIENT_ID, Value = <Your Yubico Client ID>
  • Click Add
  • Add another variable as above for YUBICO_SECRET_KEY
  • Click APPLY to restart the Docker container

That should be it - now you can configure the Yubikey in the Bitwarden Settings.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.