Please, note that this documentation :

  • Is not exhaustive.
  • Gives you the basics for securing your installation.
  • Is based on a Docker installation of BorgWarehouse (it’s simple to adapt to a baremetal installation).
  • I’ve chosen to use fail2ban for the examples in this documentation, but you’re free to use the IDS of your choice.

Log location

There are two main logs:

  • The BorgWarehouse application log
  • SSH service log

Logs are formatted by rsyslog to provide a clear timestamp. They are located in your volume, inside the logs folder. You’re encouraged to use some form of logrotate, as SSH logs in particular can quickly become very large, depending on the exposure of your server.

Log format

Since BorgWarehouse v2.2.0, the log format has been improved to enable you to detect and respond to a case of login/password brutforce.

Here is the list of cases that trigger a specific log, and an example of the associated log :

Login log example
Login failed from <IP> : Wrong password for alovelace
Login failed from <IP> : Bad username ghopper
Login success from <IP> with user yoda


The SSH part is relatively simple, as we’ll be using the SSH filter provided by fail2ban. For the active response to login attempts on the web interface, I’ve created an adaptive filter that I’ll share with you.

Create a new jail for BorgWarehouse

Inside the jail.d directory of fail2ban, create a new borgwarehouse.conf with :

filter = sshd[mode=aggressive]
enabled = true
logpath = <path-to-docker-volume>/logs/sshd.log
maxretry = 3
findtime = 600
bantime = 360000
#Delete the next line for non-docker env.

filter = borgwarehouse
enabled = true
logpath = <path-to-docker-volume>/logs/borgwarehouse.log
maxretry = 3
bantime = 360000

Create a new borgwarehouse filter

Inside the filter.d directory of fail2ban, create a new borgwarehouse.conf with :

failregex = ^.* Login failed from <HOST> : .*

Check your configuration

Restart your fail2ban service and check the status of jails :

fail2ban-client status borgwarehouse-ssh
fail2ban-client status borgwarehouse-login

SSHD default configuration

SSH daemon configuration is required to enable BorgBackup backups. BorgWarehouse in its “docker” version provides a default configuration which is placed in <your-volume>/ssh_host/sshd_config. You can read this default configuration here.

By default, I’ve provided a restrictive configuration adapted to BorgBackup use and compliant with ANSSI recommendations. However, this configuration can be modified and adapted to suit your needs.