{ config, lib, ... }: with lib; let cfg = config.machine; active = name: (elem name cfg.services); in mkIf (elem "fail2ban" cfg.services) { services.fail2ban = { enable = true; jails = { DEFAULT = '' bantime = 3600 ignoreip = 127.0.0.1 blocktype = DROP logpath = /var/log/auth.log ''; ssh = '' enabled = ${boolToString (active "openssh")} filter = sshd maxretry = 4 action = iptables[name=SSH, port=ssh, protocol=tcp] ''; sshd-ddos = '' enabled = ${boolToString (active "openssh")} filter = sshd-ddos maxretry = 4 action = iptables[name=ssh, port=ssh, protocol=tcp] ''; postfix = '' enabled = ${boolToString (active "mailserver")} filter = postfix maxretry = 3 action = iptables[name=postfix, port=smtp, protocol=tcp] ''; postfix-sasl = '' enabled = ${boolToString (active "mailserver")} filter = postfix-sasl port = postfix,imap3,imaps,pop3,pop3s maxretry = 3 action = iptables[name=postfix, port=smtp, protocol=tcp] ''; postfix-ddos = '' enabled = ${boolToString (active "mailserver")} filter = postfix-ddos maxretry = 3 action = iptables[name=postfix, port=submission, protocol=tcp] bantime = 7200 ''; nginx-req-limit = '' enabled = ${boolToString (active "nginx")} filter = nginx-req-limit maxretry = 10 action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] findtime = 600 bantime = 7200 ''; }; }; environment.etc."fail2ban/filter.d/postfix-sasl.conf" = { enable = (active "mailserver"); text = '' # Fail2Ban filter for postfix authentication failures [INCLUDES] before = common.conf [Definition] daemon = postfix/smtpd failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ ''; }; environment.etc."fail2ban/filter.d/postfix-ddos.conf" = { enable = (active "mailserver"); text = '' [Definition] failregex = lost connection after EHLO from \S+\[\] ''; }; environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = { enable = (active "nginx"); text = '' [Definition] failregex = limiting requests, excess:.* by zone.*client: ''; }; # Limit stack size to reduce memory usage systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; }