Month: April 2026

A working version to block intruderce into warpgate

compose.yml

services:
  warpgate:
    container_name: warpgate
    image: ghcr.io/warp-tech/warpgate
    ports:
      - 2222:2222
      - 127.0.0.1:8888:8888
    volumes:
      - ./data:/data:Z
      - ./sockets:/var/run
    stdin_open: true
    tty: true
    restart: always
    environment:
      - WARPGATE__WEB__TRUST_PROXY_HEADERS=true
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "3"
  vector:
    image: timberio/vector:latest-alpine
    container_name: vector
    restart: unless-stopped
    depends_on:
      - warpgate
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./vector.yaml:/etc/vector/vector.yaml:ro
      - /var/log/warpgate:/var/log/warpgate
    command: ["--config", "/etc/vector/vector.yaml"]

vector.yaml

sources:
  warpgate:
    type: docker_logs
    include_containers:
      - warpgate

transforms:
  to_fail2ban:
    type: remap
    inputs:
      - warpgate
    source: |
      raw = string!(.message)

      # ANSI Escape Codes entfernen
      msg = replace(raw, r'\x1b\[[0-9;]*m', "")

      ok = contains(msg, "WARN HTTP:") &&
           contains(msg, "/@warpgate/api/auth/login") &&
           contains(msg, "status=401") &&
           contains(msg, "client_ip")

      if !ok {
        abort
      }

      ts = format_timestamp!(.timestamp, "%Y-%m-%dT%H:%M:%SZ")

      parsed = parse_regex!(msg, r'client_ip\s*=\s*(?P[0-9a-fA-F\.:]+)')
      ip = parsed.ip

      .message = ts + " warpgate login failed ip=" + ip

sinks:
  fail2ban_file:
    type: file
    inputs:
      - to_fail2ban
    path: "/var/log/warpgate/auth.log"
    encoding:
      codec: text

/etc/fail2ban/filter.d/warpgate.conf

[Definition]
failregex = ^.*warpgate login failed ip=$
ignoreregex =

/etc/fail2ban/jail.d/warpgate.conf

[warpgate]
enabled  = true
filter   = warpgate
logpath  = /var/log/warpgate/auth.log

maxretry = 5
findtime = 300
bantime  = 300