Replies: 1 comment 2 replies
-
|
Vaultwarden isn't that demanding. And it only uses one port to be accessed via HTTP(S). If you want to prevent outgoing traffic as much as possible, i would recommend to either disable Favicon downloading, or switch to redirect them to Google, DuckDuckGo, Bitwarden Hosted, or something else. This should prevent the server from trying to access any domain users have as an entry in their vault. Then only SMTP is probably then only thing left which might need to be able to connect to outside. Ow, and if you have enabled Bitwarden Push service, then you also need to allow those of course, same goes for YubiKey and DUO if used/allowed. If you want to have E2EE, you also need to configure Vaultwarden it self to use a SSL Cert, and configure the reverse proxy to connect via a secure connection to Vaultwarden. |
Beta Was this translation helpful? Give feedback.
-
|
Just to clarify, I was mainly referring to incoming traffic protection — for example, preventing unwanted access attempts or potential attacks against the Vaultwarden instance itself. Do you have any recommendations or best practices for:
We already plan to use AWS Security Groups and Fail2Ban, but wanted to know if there’s any guidance specific to Vaultwarden’s expected inbound traffic or possible attack surfaces. |
Beta Was this translation helpful? Give feedback.
-
|
Not really. You just need to allow access to Vaultwarden for everybody who needs access. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
We are currently hosting Vaultwarden on an Ubuntu 24.04 server running on AWS.
We already use AWS Security Groups and plan to use Fail2Ban for brute-force protection.
We’d like to ask:
Our goal is to secure the instance at the host level and forward firewall logs to our analytics tool for monitoring.
Any best practices or references would be appreciated.
Thank you for your work!
Beta Was this translation helpful? Give feedback.
All reactions