add docs: hardening lnbits server with fail2ban #15
Description
Tasks
- Consider adding a section to the docs about hardening. This could include a section on fail2ban.
Fail2Ban section
Fail2Ban prevents intrusions and brute-force attacks by monitoring your server logs and blocking IP addresses.
-
Install fail2ban with your preferred packet manager
sudo apt install fail2ban
sudo systemctl enable fail2ban -
Create a custom jail for your lnbits server
sudo nano /etc/fail2ban/jail.d/lnbits.local
[lnbits]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = lnbits
maxretry = 5
bantime = 86400
findtime = 600
logpath = /home/user/path/to/log
- Create a custom filter for your lnbits server. It will ban failed authentications for login attempts and bots guessing your wallet strings
sudo nano /etc/fail2ban/filter.d/lnbits.conf
[Definition]
failregex = ^.*\|\sINFO\s\|\s<HOST>:\d+\s-\s"POST\s/api/v1/auth.*"\s401
^.*\|\sINFO\s\|\s<HOST>:\d+\s-\s"(GET|POST)\s/wallet/.*"\s(401|403|404|405|307)
ignoreregex =
- Restart fail2ban and test if it works
sudo systemctl daemon-reload
sudo restart fail2ban.service
sudo fail2ban-client status lnbits