nixos/services/fail2ban.nix

104 lines
3 KiB
Nix

{
config,
lib,
...
}:
with lib; let
cfg = config.machine;
active = name: (elem name cfg.services);
in
mkIf (elem "fail2ban" cfg.services) {
services.fail2ban = {
enable = true;
jails = {
DEFAULT = ''
bantime = 3600
blocktype = DROP
logpath = /var/log/auth.log
'';
ssh = ''
enabled = ${boolToString (active "openssh")}
filter = sshd
maxretry = 4
action = iptables[name=SSH, port=ssh, protocol=tcp]
'';
sshd-ddos = ''
enabled = ${boolToString (active "openssh")}
filter = sshd-ddos
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
'';
postfix = ''
enabled = ${boolToString (active "mailserver")}
filter = postfix
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
'';
postfix-sasl = ''
enabled = ${boolToString (active "mailserver")}
filter = postfix-sasl
port = postfix,imap3,imaps,pop3,pop3s
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
'';
postfix-ddos = ''
enabled = ${boolToString (active "mailserver")}
filter = postfix-ddos
maxretry = 3
action = iptables[name=postfix, port=submission, protocol=tcp]
bantime = 7200
'';
nginx-req-limit = ''
enabled = ${boolToString (active "nginx")}
filter = nginx-req-limit
maxretry = 10
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
findtime = 600
bantime = 7200
'';
};
};
environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
enable = active "openssh";
text = ''
[Definition]
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
ignoreregex =
'';
};
environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
enable = active "mailserver";
text = ''
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
'';
};
environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
enable = active "mailserver";
text = ''
[Definition]
failregex = lost connection after EHLO from \S+\[<HOST>\]
'';
};
environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {
enable = active "nginx";
text = ''
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>
'';
};
# Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
}