Fix fail2ban issues.

2019-09-06 11:39:24 +02:00 · 2019-09-06 11:39:24 +02:00 · 29c876ce83
commit 29c876ce83
parent 94e969abd9
1 changed files with 39 additions and 17 deletions
--- a/services/fail2ban.nix
+++ b/services/fail2ban.nix
@ -1,45 +1,49 @@
 { config, lib, ... }:

-# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix
 with lib;

-mkIf (elem "fail2ban" config.machine.services) {
+let
+  cfg = config.machine;
+  active = name: (elem name cfg.services);
+in mkIf (elem "fail2ban" cfg.services) {
  services.fail2ban = {
    enable = true;
    jails = { 
      DEFAULT = ''
        bantime  = 3600
        ignoreip = 127.0.0.1
+        blocktype = DROP
        logpath  = /var/log/auth.log
      '';

      ssh = ''
-        enabled = true
+        enabled = ${boolToString (active "openssh")}
        filter = sshd
        maxretry = 4
        action = iptables[name=SSH, port=ssh, protocol=tcp]
      '';
      sshd-ddos = ''
-        enabled  = true
+        enabled  = ${boolToString (active "openssh")}
        filter = sshd-ddos
-        maxretry = 2
+        maxretry = 4
        action   = iptables[name=ssh, port=ssh, protocol=tcp]
      '';

      postfix = ''
-        enabled  = true
+        enabled  = ${boolToString (active "mailserver")}
        filter   = postfix
        maxretry = 3
        action   = iptables[name=postfix, port=smtp, protocol=tcp]
      '';
      postfix-sasl = ''
-        enabled  = true
+        enabled  = ${boolToString (active "mailserver")}
        filter   = postfix-sasl
+        port     = postfix,imap3,imaps,pop3,pop3s
        maxretry = 3
        action   = iptables[name=postfix, port=smtp, protocol=tcp]
      '';
      postfix-ddos = ''
-        enabled  = true
+        enabled  = ${boolToString (active "mailserver")}
        filter   = postfix-ddos
        maxretry = 3
        action   = iptables[name=postfix, port=submission, protocol=tcp]
@ -47,7 +51,7 @@ mkIf (elem "fail2ban" config.machine.services) {
      '';

      nginx-req-limit = ''
-        enabled = true
+        enabled = ${boolToString (active "nginx")}
        filter = nginx-req-limit
        maxretry = 10
        action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
@ -57,15 +61,33 @@ mkIf (elem "fail2ban" config.machine.services) {
    };
  }; 

-  environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = ''
+  environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
+    enable = (active "mailserver");
+    text = ''
+      # Fail2Ban filter for postfix authentication failures
+      [INCLUDES]
+      before = common.conf
+      [Definition]
+      daemon = postfix/smtpd
+      failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
+    '';
+  };
+
+  environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
+    enable = (active "mailserver");
+    text = ''
      [Definition]
      failregex = lost connection after EHLO from \S+\[<HOST>\]
    '';
+  };

-  environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = ''
+  environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {
+    enable = (active "nginx");
+    text = ''
      [Definition]
      failregex = limiting requests, excess:.* by zone.*client: <HOST>
    '';
+  };

  # Limit stack size to reduce memory usage
  systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;