nixos/services/fail2ban.nix

{ config, lib, ... }:

with lib;

let
  cfg = config.machine;
  active = name: (elem name cfg.services);
in mkIf (elem "fail2ban" cfg.services) {
  services.fail2ban = {
    enable = true;
    jails = {
      DEFAULT = ''
        bantime  = 3600
        blocktype = DROP
        logpath  = /var/log/auth.log
      '';

      ssh = ''
        enabled = ${boolToString (active "openssh")}
        filter = sshd
        maxretry = 4
        action = iptables[name=SSH, port=ssh, protocol=tcp]
      '';
      sshd-ddos = ''
        enabled  = ${boolToString (active "openssh")}
        filter = sshd-ddos
        maxretry = 4
        action   = iptables[name=ssh, port=ssh, protocol=tcp]
      '';

      postfix = ''
        enabled  = ${boolToString (active "mailserver")}
        filter   = postfix
        maxretry = 3
        action   = iptables[name=postfix, port=smtp, protocol=tcp]
      '';
      postfix-sasl = ''
        enabled  = ${boolToString (active "mailserver")}
        filter   = postfix-sasl
        port     = postfix,imap3,imaps,pop3,pop3s
        maxretry = 3
        action   = iptables[name=postfix, port=smtp, protocol=tcp]
      '';
      postfix-ddos = ''
        enabled  = ${boolToString (active "mailserver")}
        filter   = postfix-ddos
        maxretry = 3
        action   = iptables[name=postfix, port=submission, protocol=tcp]
        bantime  = 7200
      '';

      nginx-req-limit = ''
        enabled = ${boolToString (active "nginx")}
        filter = nginx-req-limit
        maxretry = 10
        action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
        findtime = 600
        bantime = 7200
      '';
    };
  };

  environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
    enable = (active "openssh");
    text = ''
      [Definition]
      failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
      ignoreregex =
    '';
  };

  environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
    enable = (active "mailserver");
    text = ''
      # Fail2Ban filter for postfix authentication failures
      [INCLUDES]
      before = common.conf
      [Definition]
      daemon = postfix/smtpd
      failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
    '';
  };

  environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
    enable = (active "mailserver");
    text = ''
      [Definition]
      failregex = lost connection after EHLO from \S+\[<HOST>\]
    '';
  };

  environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {
    enable = (active "nginx");
    text = ''
      [Definition]
      failregex = limiting requests, excess:.* by zone.*client: <HOST>
    '';
  };

  # Limit stack size to reduce memory usage
  systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
}
Clean up in accordance with unofficial nix-linter. 2019-05-09 18:28:40 +02:00			`{ config, lib, ... }:`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00
Modularized configuration now kind of works. (still need to do some refactoring) 2019-03-20 02:57:59 +01:00			`with lib;`

Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`let`
			`cfg = config.machine;`
			`active = name: (elem name cfg.services);`
			`in mkIf (elem "fail2ban" cfg.services) {`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`services.fail2ban = {`
			`enable = true;`
fail2ban: Fix some broken jails (socket based sshd is still broken). 2020-03-27 13:36:53 +01:00			`jails = {`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`DEFAULT = ''`
			`bantime = 3600`
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`blocktype = DROP`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`logpath = /var/log/auth.log`
			`'';`

			`ssh = ''`
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`enabled = ${boolToString (active "openssh")}`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`filter = sshd`
			`maxretry = 4`
			`action = iptables[name=SSH, port=ssh, protocol=tcp]`
			`'';`
			`sshd-ddos = ''`
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`enabled = ${boolToString (active "openssh")}`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`filter = sshd-ddos`
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`maxretry = 4`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`action = iptables[name=ssh, port=ssh, protocol=tcp]`
			`'';`

			`postfix = ''`
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`enabled = ${boolToString (active "mailserver")}`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`filter = postfix`
			`maxretry = 3`
			`action = iptables[name=postfix, port=smtp, protocol=tcp]`
			`'';`
			`postfix-sasl = ''`
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`enabled = ${boolToString (active "mailserver")}`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`filter = postfix-sasl`
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`port = postfix,imap3,imaps,pop3,pop3s`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`maxretry = 3`
			`action = iptables[name=postfix, port=smtp, protocol=tcp]`
			`'';`
			`postfix-ddos = ''`
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`enabled = ${boolToString (active "mailserver")}`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`filter = postfix-ddos`
			`maxretry = 3`
			`action = iptables[name=postfix, port=submission, protocol=tcp]`
			`bantime = 7200`
			`'';`

			`nginx-req-limit = ''`
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`enabled = ${boolToString (active "nginx")}`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`filter = nginx-req-limit`
			`maxretry = 10`
			`action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]`
			`findtime = 600`
			`bantime = 7200`
Modularized configuration now kind of works. (still need to do some refactoring) 2019-03-20 02:57:59 +01:00			`'';`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`};`
fail2ban: Fix some broken jails (socket based sshd is still broken). 2020-03-27 13:36:53 +01:00			`};`

			`environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {`
			`enable = (active "openssh");`
			`text = ''`
			`[Definition]`
			`failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$`
			`ignoreregex =`
			`'';`
			`};`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {`
			`enable = (active "mailserver");`
			`text = ''`
			`# Fail2Ban filter for postfix authentication failures`
			`[INCLUDES]`
			`before = common.conf`
			`[Definition]`
			`daemon = postfix/smtpd`
			`failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN\|PLAIN\|(?:CRAM\|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]={0,2})?\s$`
			`'';`
			`};`

			`environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {`
			`enable = (active "mailserver");`
			`text = ''`
			`[Definition]`
			`failregex = lost connection after EHLO from \S+\[<HOST>\]`
			`'';`
			`};`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00
Fix fail2ban issues. 2019-09-06 11:39:24 +02:00			`environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {`
			`enable = (active "nginx");`
			`text = ''`
			`[Definition]`
			`failregex = limiting requests, excess:.* by zone.*client: <HOST>`
			`'';`
			`};`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00
			`# Limit stack size to reduce memory usage`
			`systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;`
			`}`