2023-09-11 20:23:04 +02:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}:
|
2024-11-20 20:32:38 +01:00
|
|
|
with lib;
|
|
|
|
let
|
2019-09-06 11:39:24 +02:00
|
|
|
cfg = config.machine;
|
|
|
|
active = name: (elem name cfg.services);
|
2023-09-11 20:23:04 +02:00
|
|
|
in
|
2024-11-20 20:32:38 +01:00
|
|
|
mkIf (elem "fail2ban" cfg.services) {
|
|
|
|
services.fail2ban = {
|
|
|
|
enable = true;
|
|
|
|
jails = {
|
|
|
|
DEFAULT = ''
|
|
|
|
bantime = 3600
|
|
|
|
blocktype = DROP
|
|
|
|
logpath = /var/log/auth.log
|
2023-09-11 20:23:04 +02:00
|
|
|
'';
|
2019-02-26 13:44:40 +01:00
|
|
|
|
2024-11-20 20:32:38 +01:00
|
|
|
ssh = ''
|
|
|
|
enabled = ${boolToString (active "openssh")}
|
|
|
|
filter = sshd
|
|
|
|
maxretry = 4
|
|
|
|
action = iptables[name=SSH, port=ssh, protocol=tcp]
|
|
|
|
'';
|
|
|
|
sshd-ddos = ''
|
|
|
|
enabled = ${boolToString (active "openssh")}
|
|
|
|
filter = sshd-ddos
|
|
|
|
maxretry = 4
|
|
|
|
action = iptables[name=ssh, port=ssh, protocol=tcp]
|
2023-09-11 20:23:04 +02:00
|
|
|
'';
|
2019-09-06 11:39:24 +02:00
|
|
|
|
2024-11-20 20:32:38 +01:00
|
|
|
postfix = ''
|
|
|
|
enabled = ${boolToString (active "mailserver")}
|
|
|
|
filter = postfix
|
|
|
|
maxretry = 3
|
|
|
|
action = iptables[name=postfix, port=smtp, protocol=tcp]
|
|
|
|
'';
|
|
|
|
postfix-sasl = ''
|
|
|
|
enabled = ${boolToString (active "mailserver")}
|
|
|
|
filter = postfix-sasl
|
|
|
|
port = postfix,imap3,imaps,pop3,pop3s
|
|
|
|
maxretry = 3
|
|
|
|
action = iptables[name=postfix, port=smtp, protocol=tcp]
|
|
|
|
'';
|
|
|
|
postfix-ddos = ''
|
|
|
|
enabled = ${boolToString (active "mailserver")}
|
|
|
|
filter = postfix-ddos
|
|
|
|
maxretry = 3
|
|
|
|
action = iptables[name=postfix, port=submission, protocol=tcp]
|
|
|
|
bantime = 7200
|
2023-09-11 20:23:04 +02:00
|
|
|
'';
|
2019-02-26 13:44:40 +01:00
|
|
|
|
2024-11-20 20:32:38 +01:00
|
|
|
nginx-req-limit = ''
|
|
|
|
enabled = ${boolToString (active "nginx")}
|
|
|
|
filter = nginx-req-limit
|
|
|
|
maxretry = 10
|
|
|
|
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
|
|
|
|
findtime = 600
|
|
|
|
bantime = 7200
|
2023-09-11 20:23:04 +02:00
|
|
|
'';
|
|
|
|
};
|
2024-11-20 20:32:38 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
|
|
|
|
enable = active "openssh";
|
|
|
|
text = ''
|
|
|
|
[Definition]
|
|
|
|
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
|
|
|
|
ignoreregex =
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
|
|
|
|
enable = active "mailserver";
|
|
|
|
text = ''
|
|
|
|
# Fail2Ban filter for postfix authentication failures
|
|
|
|
[INCLUDES]
|
|
|
|
before = common.conf
|
|
|
|
[Definition]
|
|
|
|
daemon = postfix/smtpd
|
|
|
|
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
|
|
|
|
enable = active "mailserver";
|
|
|
|
text = ''
|
|
|
|
[Definition]
|
|
|
|
failregex = lost connection after EHLO from \S+\[<HOST>\]
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {
|
|
|
|
enable = active "nginx";
|
|
|
|
text = ''
|
|
|
|
[Definition]
|
|
|
|
failregex = limiting requests, excess:.* by zone.*client: <HOST>
|
|
|
|
'';
|
|
|
|
};
|
2019-02-26 13:44:40 +01:00
|
|
|
|
2024-11-20 20:32:38 +01:00
|
|
|
# Limit stack size to reduce memory usage
|
|
|
|
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
|
|
|
|
}
|