lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: enable fail2ban

Browse source 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
This commit is contained in:
Lander Van den Bulcke 2025-10-23 21:39:19 +02:00
parent 49341364a8
commit 86347a68de
Signed by: lander
GPG key ID: 0142722B4B0C536F
4 changed files with 72 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

27
hosts/servers/common.nix
View file

@ -51,6 +51,33 @@
''; '';
}; };
environment.etc = {
"fail2ban/filter.d/nginx-bruteforce.conf".text = ''
[Definition]
failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
'';
"fail2ban/filter.d/postfix-bruteforce.conf".text = ''
[Definition]
failregex = warning: [\w\.\-]+\[<HOST>\]: SASL LOGIN authentication failed.*$
journalmatch = _SYSTEMD_UNIT=postfix.service
'';
};
services.fail2ban = {
enable = true;
ignoreIP = [
"100.64.0.0/24" # tailnet
];
maxretry = 3;
bantime = "2h";
extraPackages = [ pkgs.ipset ];
banaction = "iptables-ipset-proto6-allports";
};
sops.secrets.tailscale-authkey = { sops.secrets.tailscale-authkey = {
owner = "root"; owner = "root";
group = "root"; group = "root";

12
hosts/servers/hosting-01.nix
View file

@ -29,6 +29,18 @@ in
]; ];
}; };
services.fail2ban.jails = {
# max 6 failures in 600 seconds
"nginx-spam" = ''
enabled = true
filter = nginx-bruteforce
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 6
findtime = 600
'';
};
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;

19
hosts/servers/hosting-02.nix
View file

@ -1,9 +1,4 @@
{ { config, pkgs, ... }:
config,
lib,
pkgs,
...
}:
{ {
systemd.network.networks."30-wan".addresses = [ systemd.network.networks."30-wan".addresses = [
@ -23,6 +18,18 @@
]; ];
}; };
services.fail2ban.jails = {
# max 6 failures in 600 seconds
"nginx-spam" = ''
enabled = true
filter = nginx-bruteforce
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 6
findtime = 600
'';
};
services.namespaced-vpn = { services.namespaced-vpn = {
enable = true; enable = true;
ips = [ ips = [

20
hosts/servers/mail-01.nix
View file

@ -12,6 +12,26 @@ in
} }
]; ];
services.fail2ban.jails = {
# max 6 failures in 600 seconds
"nginx-spam" = ''
enabled = true
filter = nginx-bruteforce
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 6
findtime = 600
'';
# max 3 failures in 600 seconds
"postfix-bruteforce" = ''
enabled = true
filter = postfix-bruteforce
findtime = 600
maxretry = 3
'';
};
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "mail.escapeangle.com"; fqdn = "mail.escapeangle.com";