fail2ban: implement for bitwarden

2026-01-20 14:39:23 -05:00
parent aa2c61dcd3
commit 0214621a58
1 changed files with 15 additions and 0 deletions
--- a/services/bitwarden.nix
+++ b/services/bitwarden.nix
@@ -43,4 +43,19 @@
    "Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
    "Z ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden"
  ];
+
+  # Protect Vaultwarden login from brute force attacks
+  services.fail2ban.jails.vaultwarden = {
+    enabled = true;
+    settings = {
+      backend = "systemd";
+      port = "http,https";
+      # defaults: maxretry=5, findtime=10m, bantime=10m
+    };
+    filter.Definition = {
+      failregex = ''^.*Username or password is incorrect\. Try again\. IP: <HOST>\..*$'';
+      ignoreregex = "";
+      journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
+    };
+  };
 }