Security
Please, note that this documentation :
- Is not exhaustive.
- Gives you the basics for securing your installation.
- Is based on a Docker installation of BorgWarehouse (it’s simple to adapt to a baremetal installation).
- I’ve chosen to use fail2ban for the examples in this documentation, but you’re free to use the IDS of your choice.
Log location
There are two main logs:
- The BorgWarehouse application log
- SSH service log
Logs are formatted by rsyslog to provide a clear timestamp. They are located in your volume, inside the logs folder. You’re encouraged to use some form of logrotate, as SSH logs in particular can quickly become very large, depending on the exposure of your server.
Log format
Since BorgWarehouse v2.2.0, the log format has been improved to enable you to detect and respond to a case of login/password brutforce.
Here is the list of cases that trigger a specific log, and an example of the associated log :
| Login log example | |
|---|---|
| ❌ | Login failed from <IP> : Wrong password for alovelace |
| ❌ | Login failed from <IP> : Bad username ghopper |
| ✅ | Login success from <IP> with user yoda |
Fail2ban
The SSH part is relatively simple, as we’ll be using the SSH filter provided by fail2ban. For the active response to login attempts on the web interface, I’ve created an adaptive filter that I’ll share with you.
Create a new jail for BorgWarehouse
Inside the jail.d directory of fail2ban, create a new borgwarehouse.conf with :
[borgwarehouse-ssh]
filter = sshd[mode=aggressive]
enabled = true
logpath = <path-to-docker-volume>/logs/sshd.log
maxretry = 3
findtime = 600
bantime = 360000
#Delete the next line for non-docker env.
chain = DOCKER-USER
[borgwarehouse-login]
filter = borgwarehouse
enabled = true
logpath = <path-to-docker-volume>/logs/borgwarehouse.log
maxretry = 3
bantime = 360000
Create a new borgwarehouse filter
Inside the filter.d directory of fail2ban, create a new borgwarehouse.conf with :
[Definition]
failregex = ^.* Login failed from <HOST> : .*
Check your configuration
Restart your fail2ban service and check the status of jails :
fail2ban-client status borgwarehouse-ssh
fail2ban-client status borgwarehouse-login
SSHD default configuration
SSH daemon configuration is required to enable BorgBackup backups. BorgWarehouse in its “docker” version provides a default configuration which is placed in <your-volume>/ssh_host/sshd_config. You can read this default configuration here.
By default, I’ve provided a restrictive configuration adapted to BorgBackup use and compliant with ANSSI recommendations. However, this configuration can be modified and adapted to suit your needs.