From 29c876ce836f309ce7a1d90d3fffaa28655952ef Mon Sep 17 00:00:00 2001 From: derped Date: Fri, 6 Sep 2019 11:39:24 +0200 Subject: [PATCH] Fix fail2ban issues. --- services/fail2ban.nix | 56 ++++++++++++++++++++++++++++++------------- 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/services/fail2ban.nix b/services/fail2ban.nix index ef73c7a..64e1da2 100644 --- a/services/fail2ban.nix +++ b/services/fail2ban.nix @@ -1,45 +1,49 @@ { config, lib, ... }: -# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix with lib; -mkIf (elem "fail2ban" config.machine.services) { +let + cfg = config.machine; + active = name: (elem name cfg.services); +in mkIf (elem "fail2ban" cfg.services) { services.fail2ban = { enable = true; jails = { DEFAULT = '' bantime = 3600 ignoreip = 127.0.0.1 + blocktype = DROP logpath = /var/log/auth.log ''; ssh = '' - enabled = true + enabled = ${boolToString (active "openssh")} filter = sshd maxretry = 4 action = iptables[name=SSH, port=ssh, protocol=tcp] ''; sshd-ddos = '' - enabled = true + enabled = ${boolToString (active "openssh")} filter = sshd-ddos - maxretry = 2 + maxretry = 4 action = iptables[name=ssh, port=ssh, protocol=tcp] ''; postfix = '' - enabled = true + enabled = ${boolToString (active "mailserver")} filter = postfix maxretry = 3 action = iptables[name=postfix, port=smtp, protocol=tcp] ''; postfix-sasl = '' - enabled = true + enabled = ${boolToString (active "mailserver")} filter = postfix-sasl + port = postfix,imap3,imaps,pop3,pop3s maxretry = 3 action = iptables[name=postfix, port=smtp, protocol=tcp] ''; postfix-ddos = '' - enabled = true + enabled = ${boolToString (active "mailserver")} filter = postfix-ddos maxretry = 3 action = iptables[name=postfix, port=submission, protocol=tcp] @@ -47,7 +51,7 @@ mkIf (elem "fail2ban" config.machine.services) { ''; nginx-req-limit = '' - enabled = true + enabled = ${boolToString (active "nginx")} filter = nginx-req-limit maxretry = 10 action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] @@ -57,15 +61,33 @@ mkIf (elem "fail2ban" config.machine.services) { }; }; - environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = '' - [Definition] - failregex = lost connection after EHLO from \S+\[\] - ''; + environment.etc."fail2ban/filter.d/postfix-sasl.conf" = { + enable = (active "mailserver"); + text = '' + # Fail2Ban filter for postfix authentication failures + [INCLUDES] + before = common.conf + [Definition] + daemon = postfix/smtpd + failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ + ''; + }; - environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = '' - [Definition] - failregex = limiting requests, excess:.* by zone.*client: - ''; + environment.etc."fail2ban/filter.d/postfix-ddos.conf" = { + enable = (active "mailserver"); + text = '' + [Definition] + failregex = lost connection after EHLO from \S+\[\] + ''; + }; + + environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = { + enable = (active "nginx"); + text = '' + [Definition] + failregex = limiting requests, excess:.* by zone.*client: + ''; + }; # Limit stack size to reduce memory usage systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;