Hardening: Brute-force mitigation #4568
Replies: 3 comments 4 replies
-
Because there's more to Vaultwarden to just login, and more to rate limiting with fail2ban than just brute force protection. |
Beta Was this translation helpful? Give feedback.
-
Mostly because of legacy i think. The built-in rate limiting is newer then the wiki. Also, Vaultwarden doesn't block total access to the API, only to the login endpoints. Fail2ban can block that IP to access your whole server, and not only Vaultwarden. |
Beta Was this translation helpful? Give feedback.
-
I think you may have misunderstood how 2FA works in this situation. First, there are multiple 2FA options, not just TOTP. Hardware tokens, for example, provide a substantial 2FA security benefit and make it extremely difficult to brute-force attack a password. TOTP, though, while it is a '6 digit code', is a code that changes every 30 seconds. There are nearly 1 million possible codes which will need to be attempted within the 30 second window in order to be successful. Tools like fail2ban can easily notice rapid failures and delay (or block) further attempts so that the code will expire and the attempts will have to start over again. |
Beta Was this translation helpful? Give feedback.
-
I want to deploy Vaultwarden such that it is accessible over the internet. Of course, I had a look at the Hardening Guide.
In the chapter Brute-force mitigation (which I find extremely important), I came across two things:
This is already a Vaultwarden security feature that can be controlled by LOGIN_RATELIMIT_SECONDS and ADMIN_RATELIMIT_SECONDS. Why does the wiki suggest fail2ban, if Vaultwarden comes with a very similar built-in feature? Am I missing something here?!
I know it's not explicitly stated but one could easily misinterpret this sentence. With 2FA enabled, brute-force is a little bit harder but not impossible. To be precise, the entropy added by a 6 digit code is ~20 bits.
If there is a fruitful discussion in this thread, I would gladly summarize everything and post it to the wiki.
Beta Was this translation helpful? Give feedback.
All reactions