Using docker compose to startup vaultwarden and caddy, have set up Fail2Ban on the Ubuntu 20.04 host and jails are using
action = iptables-allports[name=vaultwarden, chain=FORWARD]
action = iptables-allports[name=vaultwarden-admin, chain=FORWARD]
properly with the jails set up for the webconfig and admin page as detailed in Fail2Ban Setup · dani-garcia/vaultwarden Wiki · GitHub
Currently we will also be using ignoreip = xx.xx.xx.xx/32 within the webconfig jail with ignore IP set to corp public IP as to prevent multiple separate users who possibly have failed logins from locking out everyone from Vaultwarden in our main office.
Currently we also have caddy as a reverse proxy to allow the admin page to only be accessible from within our corp network with:
not remote_ip xx.xx.xx.xx/32
redir @insecureadmin /
I wonder if there is a way possibly to set Fail2Ban to ban by the destination path to caddy with URI and ban access only to that directory, as this would allow for banning from our Corp IP in the case a malicious actor or curious user were to stumble upon this, but not ban the full web vault to the server.
We are currently looking into the ability to increment failures and bans with fail2ban and provide email alerts for the admin page jail for logging and notifications.
Much thanks for any input here