Fix fail2ban issues.

This commit is contained in:
Kevin Baensch 2019-09-06 11:39:24 +02:00
parent 94e969abd9
commit 29c876ce83

View file

@ -1,45 +1,49 @@
{ config, lib, ... }: { config, lib, ... }:
# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix
with lib; with lib;
mkIf (elem "fail2ban" config.machine.services) { let
cfg = config.machine;
active = name: (elem name cfg.services);
in mkIf (elem "fail2ban" cfg.services) {
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
jails = { jails = {
DEFAULT = '' DEFAULT = ''
bantime = 3600 bantime = 3600
ignoreip = 127.0.0.1 ignoreip = 127.0.0.1
blocktype = DROP
logpath = /var/log/auth.log logpath = /var/log/auth.log
''; '';
ssh = '' ssh = ''
enabled = true enabled = ${boolToString (active "openssh")}
filter = sshd filter = sshd
maxretry = 4 maxretry = 4
action = iptables[name=SSH, port=ssh, protocol=tcp] action = iptables[name=SSH, port=ssh, protocol=tcp]
''; '';
sshd-ddos = '' sshd-ddos = ''
enabled = true enabled = ${boolToString (active "openssh")}
filter = sshd-ddos filter = sshd-ddos
maxretry = 2 maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp] action = iptables[name=ssh, port=ssh, protocol=tcp]
''; '';
postfix = '' postfix = ''
enabled = true enabled = ${boolToString (active "mailserver")}
filter = postfix filter = postfix
maxretry = 3 maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp] action = iptables[name=postfix, port=smtp, protocol=tcp]
''; '';
postfix-sasl = '' postfix-sasl = ''
enabled = true enabled = ${boolToString (active "mailserver")}
filter = postfix-sasl filter = postfix-sasl
port = postfix,imap3,imaps,pop3,pop3s
maxretry = 3 maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp] action = iptables[name=postfix, port=smtp, protocol=tcp]
''; '';
postfix-ddos = '' postfix-ddos = ''
enabled = true enabled = ${boolToString (active "mailserver")}
filter = postfix-ddos filter = postfix-ddos
maxretry = 3 maxretry = 3
action = iptables[name=postfix, port=submission, protocol=tcp] action = iptables[name=postfix, port=submission, protocol=tcp]
@ -47,7 +51,7 @@ mkIf (elem "fail2ban" config.machine.services) {
''; '';
nginx-req-limit = '' nginx-req-limit = ''
enabled = true enabled = ${boolToString (active "nginx")}
filter = nginx-req-limit filter = nginx-req-limit
maxretry = 10 maxretry = 10
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
@ -57,15 +61,33 @@ mkIf (elem "fail2ban" config.machine.services) {
}; };
}; };
environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = '' environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
enable = (active "mailserver");
text = ''
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
'';
};
environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
enable = (active "mailserver");
text = ''
[Definition] [Definition]
failregex = lost connection after EHLO from \S+\[<HOST>\] failregex = lost connection after EHLO from \S+\[<HOST>\]
''; '';
};
environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = '' environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {
enable = (active "nginx");
text = ''
[Definition] [Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST> failregex = limiting requests, excess:.* by zone.*client: <HOST>
''; '';
};
# Limit stack size to reduce memory usage # Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;