This night I got an email from Cloudflare stating the following:
We’ve aggregated data from 1 of your Cloudflare sites during the month of August. Cloudflare served 67.53 GB of data, and mitigated firewall events.
I’m only using Cloudflare as a reverse proxy for Vaultwarden… so 67GB???
I VPN’d home and stopped the Vaultwarden container (for whatever that would be worth). At home I first logged in to Cloudflare to see if could narrow it down a bit. Looking at the traffic stats I saw this:
So something happened/started at the end of the 27th of august… Opened the appdata folder of Vaultwarden to see that Bitwarden.log was over 8GB large! 124 million lines! Notepad++ had a really hard time opening the file. Trying to search the file for the date crashed it immediately. Anyway, I finaly found the start of the problem.
All looked normal until the 27th, but on the 28th it suddenly went beserk. And on the 7th it all just went back to normal.
[2023-08-27 16:56:47.097][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK
[2023-08-28 01:39:49.860][request][INFO] GET /api/config
[2023-08-28 01:39:49.860][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.892][request][INFO] GET /api/config
[2023-08-28 01:39:49.892][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.898][request][INFO] GET /api/config
[2023-08-28 01:39:49.899][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.920][request][INFO] GET /api/config
[2023-08-28 01:39:49.920][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.921][request][INFO] GET /api/config
[2023-08-28 01:39:49.921][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.945][request][INFO] GET /api/config
[2023-08-28 01:39:49.945][request][INFO] GET /api/config
[2023-08-28 01:39:49.946][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.945][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.950][request][INFO] GET /api/config
[2023-08-28 01:39:49.951][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.968][request][INFO] GET /api/config
[2023-08-28 01:39:49.969][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.969][request][INFO] GET /api/config
[2023-08-28 01:39:49.969][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.971][request][INFO] GET /api/config
[2023-08-28 01:39:49.972][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.989][request][INFO] GET /api/config
[2023-08-28 01:39:49.989][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.992][request][INFO] GET /api/config
[2023-08-28 01:39:49.992][request][INFO] GET /api/config
[2023-08-28 01:39:49.992][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:49.993][response][INFO] (config) GET /api/config => 200 OK
[2023-08-28 01:39:50.012][request][INFO] GET /api/config
ETC.
[2023-09-07 17:10:54.043][request][INFO] GET /api/config
[2023-09-07 17:10:54.043][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.115][request][INFO] GET /api/config
[2023-09-07 17:10:54.116][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.116][request][INFO] GET /api/config
[2023-09-07 17:10:54.117][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.133][request][INFO] GET /api/config
[2023-09-07 17:10:54.133][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.198][request][INFO] GET /api/config
[2023-09-07 17:10:54.198][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.260][request][INFO] GET /api/config
[2023-09-07 17:10:54.260][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.267][request][INFO] GET /api/config
[2023-09-07 17:10:54.267][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.290][request][INFO] GET /api/config
[2023-09-07 17:10:54.290][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.349][request][INFO] GET /api/config
[2023-09-07 17:10:54.349][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.432][request][INFO] GET /api/config
[2023-09-07 17:10:54.433][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.495][request][INFO] GET /api/config
[2023-09-07 17:10:54.496][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.496][request][INFO] GET /api/config
[2023-09-07 17:10:54.496][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.567][request][INFO] GET /api/config
[2023-09-07 17:10:54.567][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.574][request][INFO] GET /api/config
[2023-09-07 17:10:54.574][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:10:54.635][request][INFO] GET /api/devices/knowndevice
[2023-09-07 17:10:54.635][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2023-09-07 17:11:01.365][request][INFO] POST /identity/accounts/prelogin
[2023-09-07 17:11:01.366][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2023-09-07 17:11:01.528][request][INFO] POST /identity/connect/token
[2023-09-07 17:11:01.589][error][ERROR] 2FA token not provided
[2023-09-07 17:11:01.589][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2023-09-07 17:11:34.583][request][INFO] POST /identity/connect/token
[2023-09-07 17:11:34.647][vaultwarden::api::identity][INFO] User [my_user_email] logged in successfully. IP: 141.101.76.9
[2023-09-07 17:11:34.647][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-09-07 17:11:34.909][request][INFO] GET /api/config
[2023-09-07 17:11:34.909][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:11:34.909][request][INFO] GET /api/config
[2023-09-07 17:11:34.909][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:12:12.423][request][INFO] GET /api/devices/knowndevice
[2023-09-07 17:12:12.424][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2023-09-07 17:12:48.225][request][INFO] GET /api/devices/knowndevice
[2023-09-07 17:12:48.225][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2023-09-07 17:12:56.559][request][INFO] POST /identity/accounts/prelogin
[2023-09-07 17:12:56.559][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2023-09-07 17:12:56.735][request][INFO] POST /identity/connect/token
[2023-09-07 17:12:56.785][error][ERROR] 2FA token not provided
[2023-09-07 17:12:56.785][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2023-09-07 17:13:06.646][request][INFO] POST /identity/connect/token
[2023-09-07 17:13:06.697][vaultwarden::api::identity][INFO] User [my_user_email] logged in successfully. IP: 172.71.102.114
[2023-09-07 17:13:06.697][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-09-07 17:13:06.948][request][INFO] GET /api/config
[2023-09-07 17:13:06.948][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:13:07.070][request][INFO] GET /api/config
[2023-09-07 17:13:07.071][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:15:46.071][request][INFO] POST /identity/connect/token
[2023-09-07 17:15:46.075][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-09-07 17:15:46.521][request][INFO] GET /api/sync?excludeDomains=true
[2023-09-07 17:15:46.598][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2023-09-07 17:15:48.759][request][INFO] GET /api/config
[2023-09-07 17:15:48.759][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:18:07.707][vaultwarden::api::notifications][INFO] Closing WS connection from 172.18.0.3
[2023-09-07 17:18:17.182][request][INFO] GET /api/config
[2023-09-07 17:18:17.182][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:18:17.211][request][INFO] POST /identity/connect/token
[2023-09-07 17:18:17.214][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-09-07 17:18:17.578][request][INFO] GET /api/sync?excludeDomains=true
[2023-09-07 17:18:17.681][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2023-09-07 17:18:20.215][request][INFO] GET /api/config
[2023-09-07 17:18:20.216][response][INFO] (config) GET /api/config => 200 OK
[2023-09-07 17:18:29.118][request][INFO] POST /identity/connect/token
[2023-09-07 17:18:29.127][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-09-07 17:18:29.504][vaultwarden::api::notifications][INFO] Accepting WS connection from 172.18.0.3:50338
[2023-09-07 17:18:29.555][request][INFO] GET /api/accounts/revision-date
[2023-09-07 17:18:29.556][response][INFO] (revision_date) GET /api/accounts/revision-date => 200 OK
124M lines, 62M requests using ~1KB = 67GB. So yeah, found the issue. But what the hell?
How am I running Vaultwarden:
Unraid + Docker + Swag + Cloudflare.
How am I using Vaultwarden:
Main PC running Windows 10 with Bitwarden Desktop installed with Chocolatey, running auto upgrade at boot. Also browser plugins.
Thoughts and possible cause?
- I know that Vaultwarden was updated on the 27th of august around 13:00. Well before this started, but it could be related? A coincidence?
- I don’t remember what I was doing on the 28th, but i’m pretty sure I was behind my computer when this all started. Possibly starting my PC at that time. I’m using Chocolatey and running auto upgrade at boot. Bitwarden desktop application could have possibly been updated around this time. I was thinking maybe the Bitwarden desktop application caused this somehow. It almost perfectly correlates with the version history dates on chocolatey Chocolatey Software | Bitwarden 2023.10.1
2023.8.2 = 28th of august
2023.8.3 = 6th of september - I know that Vaultwarden also updated on the 3rd of september around 13:00. But I can’t find any sign of that in the log. The log just keeps going and going with the same message. No sign of Vaultwarden stopping / updating / starting.
- I know that the Bitwarden desktop application on my main computer running Windows 10 was acting up the last couple of weeks. Window Hello not working. Finally prompting me to login again with my master password and asking for my 2FA code. Which I at first clicked away because I didn’t have my yubikey at hand. The last lines of the log I pasted above are (I think) those login attempts. It’s my user email at least. The IP’s are Cloudflare’s. After these lines all went back to normal as far as I can tell.
.
So my guess is the desktop application is to blame somehow, but I don’t see how this could have caused Vaultwarden to spit out these log messages, even when the PC was turned off?
Please advice on what to do now? Just delete the 8GB logfile and start up the container again?
Thank you for reading and your help in advance.