forked from DGNum/infrastructure
feat(modules): Deploy fail2ban
This commit is contained in:
parent
f3ab09fe4e
commit
fa799c9dda
5 changed files with 101 additions and 2 deletions
|
@ -4,6 +4,7 @@ lib.extra.mkConfig {
|
|||
enabledModules = [
|
||||
# List of modules to enable
|
||||
"dgn-dns"
|
||||
"dgn-fail2ban"
|
||||
"dgn-web"
|
||||
];
|
||||
|
||||
|
@ -22,5 +23,12 @@ lib.extra.mkConfig {
|
|||
"zammad"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
|
||||
"sshd-bruteforce"
|
||||
"sshd-timeout"
|
||||
];
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
||||
|
|
|
@ -40,6 +40,7 @@
|
|||
"dgn-acme"
|
||||
"dgn-console"
|
||||
"dgn-dns"
|
||||
"dgn-fail2ban"
|
||||
"dgn-hardware"
|
||||
"dgn-network"
|
||||
"dgn-secrets"
|
||||
|
|
|
@ -50,7 +50,8 @@ in {
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
dgn-fail2ban.jails = builtins.mapAttrs (_: j: j // { enabled = mkDefault false; })
|
||||
dgn-fail2ban.jails =
|
||||
builtins.mapAttrs (_: j: j // { enabled = mkDefault false; })
|
||||
(import ./jails.nix { });
|
||||
|
||||
services.fail2ban = {
|
||||
|
@ -60,7 +61,7 @@ in {
|
|||
|
||||
ignoreIP = [
|
||||
"10.0.0.0/8"
|
||||
"125.199.0.0/16"
|
||||
"129.199.0.0/16"
|
||||
"172.16.0.0/12"
|
||||
"192.168.0.0/16"
|
||||
"100.64.0.0/10"
|
82
modules/dgn-fail2ban/jails.nix
Normal file
82
modules/dgn-fail2ban/jails.nix
Normal file
|
@ -0,0 +1,82 @@
|
|||
# Copyright Tom Hubrecht, (2023)
|
||||
#
|
||||
# Tom Hubrecht <tom@hubrecht.ovh>
|
||||
#
|
||||
# This software is a computer program whose purpose is to configure
|
||||
# machines and servers with NixOS.
|
||||
#
|
||||
# This software is governed by the CeCILL license under French law and
|
||||
# abiding by the rules of distribution of free software. You can use,
|
||||
# modify and/ or redistribute the software under the terms of the CeCILL
|
||||
# license as circulated by CEA, CNRS and INRIA at the following URL
|
||||
# "http://www.cecill.info".
|
||||
#
|
||||
# As a counterpart to the access to the source code and rights to copy,
|
||||
# modify and redistribute granted by the license, users are provided only
|
||||
# with a limited warranty and the software's author, the holder of the
|
||||
# economic rights, and the successive licensors have only limited
|
||||
# liability.
|
||||
#
|
||||
# In this respect, the user's attention is drawn to the risks associated
|
||||
# with loading, using, modifying and/or developing or reproducing the
|
||||
# software by the user in light of its specific status of free software,
|
||||
# that may mean that it is complicated to manipulate, and that also
|
||||
# therefore means that it is reserved for developers and experienced
|
||||
# professionals having in-depth computer knowledge. Users are therefore
|
||||
# encouraged to load and test the software's suitability as regards their
|
||||
# requirements in conditions enabling the security of their systems and/or
|
||||
# data to be ensured and, more generally, to use and operate it in the
|
||||
# same conditions as regards security.
|
||||
#
|
||||
# The fact that you are presently reading this means that you have had
|
||||
# knowledge of the CeCILL license and that you accept its terms.
|
||||
|
||||
_: {
|
||||
nginx-spam = {
|
||||
filter.Definition.failregex = ''
|
||||
^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$'';
|
||||
|
||||
settings = {
|
||||
logpath = "/var/log/nginx/access.log";
|
||||
backend = "auto";
|
||||
maxretry = 500;
|
||||
findtime = 60;
|
||||
};
|
||||
};
|
||||
|
||||
postfix-bruteforce = {
|
||||
filter.Definition = {
|
||||
failregex = "warning: [\\w\\.\\-]+\\[<HOST>\\]: SASL LOGIN authentication failed.*$";
|
||||
journalmatch = "_SYSTEMD_UNIT=postfix.service";
|
||||
};
|
||||
|
||||
settings = {
|
||||
findtime = 600;
|
||||
maxretry = 1;
|
||||
};
|
||||
};
|
||||
|
||||
sshd-bruteforce = {
|
||||
filter.Definition = {
|
||||
failregex = "pam_unix\\(sshd:auth\\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ADDR>.*$";
|
||||
journalmatch = "_SYSTEMD_UNIT=sshd.service";
|
||||
};
|
||||
|
||||
settings = {
|
||||
findtime = 600;
|
||||
maxretry = 1;
|
||||
};
|
||||
};
|
||||
|
||||
sshd-timeout = {
|
||||
filter.Definition = {
|
||||
failregex = "fatal: Timeout before authentication for <ADDR>.*$";
|
||||
journalmatch = "_SYSTEMD_UNIT=sshd.service";
|
||||
};
|
||||
|
||||
settings = {
|
||||
findtime = 600;
|
||||
maxretry = 1;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -134,5 +134,12 @@
|
|||
id = 252318;
|
||||
hash = "sha256-lI5WYFlxKvava9e+eTI8ZGogIb3uPOLAWFrkxbSlCXI=";
|
||||
}
|
||||
|
||||
# nixos/fail2ban: RFC42-ize
|
||||
{
|
||||
id = 201907;
|
||||
hash = "sha256-bkf37QTFgbnSz3s8QPm5Z+6rWVVOlDtISTR7FACEwMM=";
|
||||
excludes = [ "nixos/doc/manual/" ];
|
||||
}
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue