Secure Your Self-Hosted Bitwarden: Firewall, Fail2Ban, SSH Keys & Backups

Self-hosting Bitwarden offers full control over your password manager, but requires robust security measures like firewall port restrictions, Fail2Ban for intrusion prevention, SSH key-only access, and reliable backups.​

Firewall Port Blocking

Configure your firewall to expose only essential ports for Bitwarden self-hosted setups, typically HTTP (80) and HTTPS (443), while allowing SSH (22) temporarily. On Ubuntu with UFW, run sudo ufw allow 22/tcp, sudo ufw allow 80/tcp, sudo ufw allow 443/tcp, then sudo ufw enable to block all other incoming traffic. This minimizes attack surfaces by rejecting unauthorized ports, ensuring only Bitwarden services remain accessible.​

Fail2Ban for SSH and Bitwarden Logs

Install Fail2Ban to monitor and ban IPs after failed login attempts on SSH and Bitwarden. For SSH, enable the default jail in /etc/fail2ban/jail.local with [sshd] enabled = true. For Bitwarden, create a custom filter /etc/fail2ban/filter.d/bitwarden.conf matching log patterns like ^\\s*\\[Warning\\]\\s+Failed login attempt.* <HOST>$ from bwdata/logs/identity/Identity/log.txt, then add a jail monitoring that log file. Restart Fail2Ban with sudo systemctl restart fail2ban to activate protection against brute-force attacks.​

Disable SSH Password, Enable Keys Only

Generate SSH keys with ssh-keygen, copy the public key to ~/.ssh/authorized_keys on the server, then edit /etc/ssh/sshd_config to set PasswordAuthentication no and PubkeyAuthentication yes. Restart SSH with sudo systemctl restart sshd to enforce key-only logins, drastically reducing brute-force risks. Test key access before closing the session to avoid lockouts.​​

Backup Strategy

Bitwarden self-hosted includes automatic nightly MSSQL database backups in ./bwdata/mssql/backups, retained for 30 days, while manual full backups of the entire ./bwdata directory cover configs, attachments, and data protection keys. Use tools like rclone for offsite storage to immutable cloud services such as Backblaze B2, scripting daily cron jobs for ./bwdata with write-only permissions. For restoration, use docker exec -i bitwarden-mssql /backup-db.sh or SQL commands inside the container to recover from .BAK files.

Optional : Disable Signups and Admin

In Bitwarden's env/global.override.env, set SIGNUPS_ALLOWED=false to prevent unauthorized account creation, then restart containers. Disable or restrict /admin access via proxy rules, and enforce strong master passwords with 2FA (TOTP, YubiKey) for all users.