nixos/services/fail2ban.nix

{ config, lib, pkgs, ... }:

# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix
{
  services.fail2ban = {
    enable = true;
    jails = { 
      DEFAULT = ''
        bantime  = 3600
        logpath  = /var/log/auth.log
      '';

      ssh = ''
        enabled = true
        filter = sshd
        maxretry = 4
        action = iptables[name=SSH, port=ssh, protocol=tcp]
      '';
      sshd-ddos = ''
        enabled  = true
        filter = sshd-ddos
        maxretry = 2
        action   = iptables[name=ssh, port=ssh, protocol=tcp]
      '';

      postfix = ''
        enabled  = true
        filter   = postfix
        maxretry = 3
        action   = iptables[name=postfix, port=smtp, protocol=tcp]
      '';
      postfix-sasl = ''
        enabled  = true
        filter   = postfix-sasl
        maxretry = 3
        action   = iptables[name=postfix, port=smtp, protocol=tcp]
      '';
      postfix-ddos = ''
        enabled  = true
        filter   = postfix-ddos
        maxretry = 3
        action   = iptables[name=postfix, port=submission, protocol=tcp]
        bantime  = 7200
      '';

      nginx-req-limit = ''
        enabled = true
        filter = nginx-req-limit
        maxretry = 10
        action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
        findtime = 600
        bantime = 7200
      ''
    };
  }; 

  environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = ''
    [Definition]
    failregex = lost connection after EHLO from \S+\[<HOST>\]
  '';

  environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = ''
    [Definition]
    failregex = limiting requests, excess:.* by zone.*client: <HOST>
  '';

  # Limit stack size to reduce memory usage
  systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
}
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`{ config, lib, pkgs, ... }:`

			`# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix`
			`{`
			`services.fail2ban = {`
			`enable = true;`
			`jails = {`
			`DEFAULT = ''`
			`bantime = 3600`
			`logpath = /var/log/auth.log`
			`'';`

			`ssh = ''`
			`enabled = true`
			`filter = sshd`
			`maxretry = 4`
			`action = iptables[name=SSH, port=ssh, protocol=tcp]`
			`'';`
			`sshd-ddos = ''`
			`enabled = true`
			`filter = sshd-ddos`
			`maxretry = 2`
			`action = iptables[name=ssh, port=ssh, protocol=tcp]`
			`'';`

			`postfix = ''`
			`enabled = true`
			`filter = postfix`
			`maxretry = 3`
			`action = iptables[name=postfix, port=smtp, protocol=tcp]`
			`'';`
			`postfix-sasl = ''`
			`enabled = true`
			`filter = postfix-sasl`
			`maxretry = 3`
			`action = iptables[name=postfix, port=smtp, protocol=tcp]`
			`'';`
			`postfix-ddos = ''`
			`enabled = true`
			`filter = postfix-ddos`
			`maxretry = 3`
			`action = iptables[name=postfix, port=submission, protocol=tcp]`
			`bantime = 7200`
			`'';`

			`nginx-req-limit = ''`
			`enabled = true`
			`filter = nginx-req-limit`
			`maxretry = 10`
			`action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]`
			`findtime = 600`
			`bantime = 7200`
			`''`
			`};`
			`};`

			`environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = ''`
			`[Definition]`
			`failregex = lost connection after EHLO from \S+\[<HOST>\]`
			`'';`

			`environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = ''`
			`[Definition]`
			`failregex = limiting requests, excess:.* by zone.*client: <HOST>`
			`'';`

			`# Limit stack size to reduce memory usage`
			`systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;`
			`}`