starred/vaultwarden

Fork 0

mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 09:46:00 +03:00

[GH-ISSUE #678] fail2ban regex will match but no match found when actually running #455

New issue

Closed

opened 2026-03-03 01:29:18 +03:00 by kerem · 6 comments

kerem commented

2026-03-03 01:29:18 +03:00

Owner

Originally created by @Ezzahhh on GitHub (Oct 22, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/678

I have followed the instructions in the wiki to setup fail2ban. My setup is with caddy and bitwarden_rs both running in docker with root and using cloudflare cdn for https. My log is being output in /bw-data/bitwarden.log and it appears to be updating. My OS time and the log time appear to match up. When I run fail2ban's regex on the given one in the wiki and the bitwarden.conf it appears to find matches. However, when I try to spam logins myself the fail2ban log does not show any indication that anything is happening even with the verbosity set to DEBUG. Comparatively, the ssh blocking appears to work.

bitwarden.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
ignoreregex =

bitwarden.local

[bitwarden]
enabled = true
port = 80,443
filter = bitwarden
action = iptables-allports[name=bitwarden]
logpath = /bw-data/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400

fail2ban.log it basically just does usual startup and ends like this:

2019-10-22 23:05:34,232 fail2ban.jail [15452]: INFO Jail 'bitwarden' started

Originally created by @Ezzahhh on GitHub (Oct 22, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/678 I have followed the instructions in the wiki to setup fail2ban. My setup is with caddy and bitwarden_rs both running in docker with root and using cloudflare cdn for https. My log is being output in /bw-data/bitwarden.log and it appears to be updating. My OS time and the log time appear to match up. When I run fail2ban's regex on the given one in the wiki and the bitwarden.conf it appears to find matches. However, when I try to spam logins myself the fail2ban log does not show any indication that anything is happening even with the verbosity set to DEBUG. Comparatively, the ssh blocking appears to work. bitwarden.conf ``` [INCLUDES] before = common.conf [Definition] failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$ ignoreregex = ``` bitwarden.local ``` [bitwarden] enabled = true port = 80,443 filter = bitwarden action = iptables-allports[name=bitwarden] logpath = /bw-data/bitwarden.log maxretry = 3 bantime = 14400 findtime = 14400 ``` fail2ban.log it basically just does usual startup and ends like this: `2019-10-22 23:05:34,232 fail2ban.jail [15452]: INFO Jail 'bitwarden' started`

kerem closed this issue

2026-03-03 01:29:18 +03:00

kerem commented

2026-03-03 01:29:19 +03:00

Author

Owner

@hwwilliams commented on GitHub (Oct 22, 2019):

Hey @Ezzahhh , you may have to use the following action in bitwarden.local since you're using docker and docker uses the forward chain in iptables.

action = iptables-allports[name=bitwarden, chain=FORWARD]

@hwwilliams commented on GitHub (Oct 22, 2019): Hey @Ezzahhh , you may have to use the following action in bitwarden.local since you're using docker and docker uses the forward chain in iptables. `action = iptables-allports[name=bitwarden, chain=FORWARD]`

kerem commented

2026-03-03 01:29:19 +03:00

Author

Owner

@Ezzahhh commented on GitHub (Oct 23, 2019):

My understanding from the wiki was to not include the chain forward because I have docker AND caddy as a reverse proxy in front. Wouldn't jail2ban normally show something in logs if it at least picked up something to ban in logs before taking action? I'm no sure. It's weird because I get nothing at all.

I have tried running with chain=FORWARD but nothing happens.

@Ezzahhh commented on GitHub (Oct 23, 2019): My understanding from the wiki was to not include the chain forward because I have docker AND caddy as a reverse proxy in front. Wouldn't jail2ban normally show something in logs if it at least picked up something to ban in logs before taking action? I'm no sure. It's weird because I get nothing at all. I have tried running with chain=FORWARD but nothing happens.

kerem commented

2026-03-03 01:29:19 +03:00

Author

Owner

@hwwilliams commented on GitHub (Oct 23, 2019):

In that case I'm not too sure, I'm also using docker but with Traefik instead of Caddy. I use the chain=forward action as I mentioned and its working fine for me with no changes to Traefik.

Perhaps someone else can chime in.

@hwwilliams commented on GitHub (Oct 23, 2019): In that case I'm not too sure, I'm also using docker but with Traefik instead of Caddy. I use the `chain=forward` action as I mentioned and its working fine for me with no changes to Traefik. Perhaps someone else can chime in.

kerem commented

2026-03-03 01:29:19 +03:00

Author

Owner

@Ezzahhh commented on GitHub (Oct 23, 2019):

Yeah it's definitely something to do with my bitwarden config, because fail2ban is banning IPs for sshd and that is working fine.

When I run : fail2ban-regex /bw-data/bitwarden.log /etc/fail2ban/filter.d/bitwarden.conf

I definitely get matches on previous failed logins

Running tests
=============

Use   failregex filter file : bitwarden, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /bw-data/bitwarden.log
Use         encoding : UTF-8


Results
=======

Failregex: 167 total
|-  #) [# of hits] regular expression
|   1) [167] ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [285360] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 285360 lines, 0 ignored, 167 matched, 285193 missed
[processed in 10.88 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 285193 lines

@Ezzahhh commented on GitHub (Oct 23, 2019): Yeah it's definitely something to do with my bitwarden config, because fail2ban is banning IPs for sshd and that is working fine. When I run : fail2ban-regex /bw-data/bitwarden.log /etc/fail2ban/filter.d/bitwarden.conf I definitely get matches on previous failed logins ``` Running tests ============= Use failregex filter file : bitwarden, basedir: /etc/fail2ban Use datepattern : Default Detectors Use log file : /bw-data/bitwarden.log Use encoding : UTF-8 Results ======= Failregex: 167 total |- #) [# of hits] regular expression | 1) [167] ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [285360] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 285360 lines, 0 ignored, 167 matched, 285193 missed [processed in 10.88 sec] Missed line(s): too many to print. Use --print-all-missed to print all 285193 lines ```

kerem commented

2026-03-03 01:29:19 +03:00

Author

Owner

@dani-garcia commented on GitHub (May 13, 2020):

Closed due to inactivity.

@dani-garcia commented on GitHub (May 13, 2020): Closed due to inactivity.

kerem commented

2026-03-03 01:29:20 +03:00

Author

Owner

@savowe commented on GitHub (Dec 21, 2020):

I had the very same issue. Tried some things posted in other issues such as checking for correct timezone settings and so forth nothing worked. Even though fail2ban-regex got all the correct hits with the regex ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$' it would not work when actually running fail2ban.
It started working when I changed the timestamp to
-e LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S"
leaving out the %3f at the end.

@savowe commented on GitHub (Dec 21, 2020): I had the very same issue. Tried some things posted in other issues such as checking for correct timezone settings and so forth nothing worked. Even though `fail2ban-regex` got all the correct hits with the regex `^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$'` it would not work when actually running fail2ban. It started working when I changed the timestamp to `-e LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S"` leaving out the `%3f` at the end.

kerem referenced this issue

2026-03-03 08:52:51 +03:00

[PR #456] [CLOSED] Add get invites endpoint #2737

kerem referenced this issue

2026-03-03 08:52:51 +03:00

[PR #455] [MERGED] Add new endpoint for retrieving all users #2738