{ config, lib, ... }: # mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix with lib; mkIf (elem "fail2ban" config.machine.services) { services.fail2ban = { enable = true; jails = { DEFAULT = '' bantime = 3600 ignoreip = 127.0.0.1 logpath = /var/log/auth.log ''; ssh = '' enabled = true filter = sshd maxretry = 4 action = iptables[name=SSH, port=ssh, protocol=tcp] ''; sshd-ddos = '' enabled = true filter = sshd-ddos maxretry = 2 action = iptables[name=ssh, port=ssh, protocol=tcp] ''; postfix = '' enabled = true filter = postfix maxretry = 3 action = iptables[name=postfix, port=smtp, protocol=tcp] ''; postfix-sasl = '' enabled = true filter = postfix-sasl maxretry = 3 action = iptables[name=postfix, port=smtp, protocol=tcp] ''; postfix-ddos = '' enabled = true filter = postfix-ddos maxretry = 3 action = iptables[name=postfix, port=submission, protocol=tcp] bantime = 7200 ''; nginx-req-limit = '' enabled = true filter = nginx-req-limit maxretry = 10 action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] findtime = 600 bantime = 7200 ''; }; }; environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = '' [Definition] failregex = lost connection after EHLO from \S+\[\] ''; environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = '' [Definition] failregex = limiting requests, excess:.* by zone.*client: ''; # Limit stack size to reduce memory usage systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; }