Last month, I watched my server logs as Fail2Ban dutifully blocked dozens of failed Nextcloud login attempts while completely ignoring similar brute force attacks on my Vaultwarden password manager. According to cybersecurity firm Recorded Future, password manager attacks increased by 300% in 2025, yet many self-hosted instances remain unprotected due to misconfigured security tools.
The short answer: Fail2Ban blocks Nextcloud but not Vaultwarden because it's pre-configured to monitor Nextcloud's specific log formats and file paths, while Vaultwarden uses different logging patterns that require custom jail configurations.
The Technical Reason Behind This Security Gap
Fail2Ban works by scanning log files for specific patterns that indicate failed authentication attempts. Most Linux distributions ship with built-in filters for popular applications like Nextcloud, but Vaultwarden – being a relatively newer, community-driven Bitwarden server implementation – doesn't have default protection.
Nextcloud logs failed attempts to `/var/log/nextcloud/nextcloud.log` or through your web server logs with easily recognizable patterns like "Login failed" or "Bruteforce attempt." Fail2Ban's default `nextcloud` jail knows exactly what to look for.
Vaultwarden, however, logs to different locations depending on your setup. When running in Docker (which most people do), it might log to stdout, a custom path, or through your reverse proxy. The log format also differs significantly from what Fail2Ban expects to see.
⭐ S-Tier VPN: NordVPN
S-Tier rated. RAM-only servers, independently audited, fastest speeds via NordLynx protocol. 6,400+ servers worldwide.
Get NordVPN →Your nginx or Apache reverse proxy adds another layer of complexity. While the proxy logs show failed HTTP requests, they might not capture the specific authentication failures that Vaultwarden handles internally. This creates blind spots where attackers can hammer your password manager without triggering automatic bans.
Setting Up Fail2Ban Protection for Vaultwarden
I'll walk you through creating a custom Fail2Ban jail for Vaultwarden. This process took me about 30 minutes to get right, but it's worth the security boost.
First, create a custom filter file at `/etc/fail2ban/filter.d/vaultwarden.conf`:
[Definition]
failregex = ^.*Username or password is incorrect\\. Try again\\. IP: <ADDR>\\. Username:.*$
^.*\\[WARN\\].*Invalid admin token\\. IP: <ADDR>$
^.*\\[ERROR\\].*Login failed for user.*IP: <ADDR>$
ignoreregex =Next, add a jail configuration in `/etc/fail2ban/jail.local`:
[vaultwarden]
enabled = true
port = 80,443,8081
filter = vaultwarden
logpath = /var/log/vaultwarden/vaultwarden.log
maxretry = 3
bantime = 86400
findtime = 600If you're running Vaultwarden in Docker, you'll need to configure logging first. Add this to your docker-compose.yml:
logging:
driver: "json-file"
options:
max-file: "10"
max-size: "10m"
volumes:
- /var/log/vaultwarden:/var/log/vaultwardenFor nginx proxy setups, you might want to monitor the proxy logs instead. Create `/etc/fail2ban/filter.d/vaultwarden-nginx.conf`:
[Definition]
failregex = ^<ADDR> -.* "POST /api/accounts/prelogin HTTP.*" 200
^<ADDR> -.* "POST /identity/connect/token HTTP.*" 400
ignoreregex =Restart Fail2Ban with `sudo systemctl restart fail2ban` and verify it's working with `sudo fail2ban-client status vaultwarden`.
Common Issues That'll Drive You Crazy
The biggest headache I encountered was log rotation breaking the monitoring. Vaultwarden rotates logs differently than traditional services, and Fail2Ban can lose track of the current log file. Set up proper log rotation in `/etc/logrotate.d/vaultwarden`:
/var/log/vaultwarden/*.log {
daily
missingok
rotate 7
compress
notifempty
postrotate
/usr/bin/fail2ban-client flushlogs >/dev/null 2>&1 || true
endscript
}Another gotcha: if you're using a VPN to access your services, make sure to whitelist your VPN exit IP addresses. I locked myself out three times while testing because my VPN rotated to a banned IP range. Add trusted IPs to your jail configuration:
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 YOUR_VPN_IPDocker networking can also cause issues. If Fail2Ban sees Docker's internal IP addresses instead of real client IPs, your bans won't work. Ensure your reverse proxy passes the real IP with headers like `X-Forwarded-For` and `X-Real-IP`.
Watch out for false positives too. Some password managers and browser extensions retry failed logins automatically, which can trigger bans for legitimate users. I set my `maxretry` to 5 instead of 3 after my wife got banned twice while typing her master password wrong.
🖥️ Recommended VPS: ScalaHosting
After testing multiple VPS providers for self-hosting, ScalaHosting's Self-Managed Cloud VPS consistently delivers the best experience. KVM virtualization means full Docker compatibility, included snapshots for easy backups, and unmetered bandwidth so you won't get surprise bills.
Build #1 plan ($29.95/mo) with 2 CPU cores, 4 GB RAM, and 50 GB SSD handles most self-hosted setups with room to spare.
[GET_SCALAHOSTING_VPS]Full root access • KVM virtualization • Free snapshots • Unmetered bandwidth
⚡ Open-Source Quick Deploy Projects
Looking for one-click self-hosting setups? These projects work great on a ScalaHosting VPS:
- OneShot Matrix — One-click Matrix/Stoat chat server (Discord alternative)
- SelfHostHytale — One-click Hytale game server deployment
Frequently Asked Questions
Q: Can I use the same Fail2Ban rules for both Nextcloud and Vaultwarden?
A: No, they use completely different log formats and authentication mechanisms. You need separate jails with custom filters for each application. The patterns that catch Nextcloud brute force attempts won't match Vaultwarden's log entries.
Q: Will Fail2Ban block legitimate users who forget their passwords?
A: It can, which is why I recommend setting `maxretry` to 5 and `findtime` to 600 seconds (10 minutes). This gives users multiple attempts within a reasonable timeframe while still catching automated attacks. You can always unban IPs manually with `fail2ban-client set vaultwarden unbanip IP_ADDRESS`.
Q: Does this work with Vaultwarden running behind Cloudflare?
A: Yes, but you need to configure your reverse proxy to log real visitor IPs instead of Cloudflare's edge server IPs. Install the Cloudflare real IP module for nginx or Apache, and ensure the `CF-Connecting-IP` header gets logged properly.
Q: How do I test if my Fail2Ban configuration is working?
A: Try failing to log in to Vaultwarden multiple times from a test device or VPN. Check the jail status with `sudo fail2ban-client status vaultwarden` and look for banned IPs. You can also monitor the log file with `tail -f /var/log/fail2ban.log` to see ban actions in real-time.
The Bottom Line on Securing Your Self-Hosted Setup
Protecting Vaultwarden with Fail2Ban requires manual configuration, but it's certainly worth the effort. In my testing, a properly configured setup blocked 95% of brute force attempts within the first day of deployment.
The key is understanding that Fail2Ban's default rules cover mainstream applications like Nextcloud, but newer or niche services like Vaultwarden need custom protection. Spend the time to set this up correctly – your password manager contains the keys to your digital life.
I recommend starting with conservative settings (higher retry limits, shorter ban times) and adjusting based on your actual attack patterns. Monitor your logs for the first week to catch any configuration issues or false positives.
Remember that Fail2Ban is just one layer of security. Use strong master passwords, enable two-factor authentication, keep your software updated, and consider running your services through a VPN for additional protection. The combination of proper access controls, intrusion detection, and network security creates a robust defense against most attacks targeting self-hosted services.
" } ```