feat: enable fail2ban

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-10-23 21:39:19 +02:00 · 2025-10-23 21:39:19 +02:00 · 86347a68de
commit 86347a68de
parent 49341364a8
4 changed files with 72 additions and 6 deletions
--- a/hosts/servers/common.nix
+++ b/hosts/servers/common.nix
@ -51,6 +51,33 @@
    '';
  };

+  environment.etc = {
+    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
+    '';
+
+    "fail2ban/filter.d/postfix-bruteforce.conf".text = ''
+      [Definition]
+      failregex = warning: [\w\.\-]+\[<HOST>\]: SASL LOGIN authentication failed.*$
+      journalmatch = _SYSTEMD_UNIT=postfix.service
+    '';
+  };
+
+  services.fail2ban = {
+    enable = true;
+
+    ignoreIP = [
+      "100.64.0.0/24" # tailnet
+    ];
+
+    maxretry = 3;
+    bantime = "2h";
+
+    extraPackages = [ pkgs.ipset ];
+    banaction = "iptables-ipset-proto6-allports";
+  };
+
  sops.secrets.tailscale-authkey = {
    owner = "root";
    group = "root";