# Copyright Tom Hubrecht, (2023)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is a computer program whose purpose is to configure
# machines and servers with NixOS.
#
# This software is governed by the CeCILL  license under French law and
# abiding by the rules of distribution of free software.  You can  use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and  rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty  and the software's author,  the holder of the
# economic rights,  and the successive licensors  have only  limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading,  using,  modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean  that it is complicated to manipulate,  and  that  also
# therefore means  that it is reserved for developers  and  experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and,  more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.

_: {
  nginx-spam = {
    filter.Definition.failregex = ''^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$'';

    settings = {
      logpath = "/var/log/nginx/access.log";
      backend = "auto";
      maxretry = 500;
      findtime = 60;
    };
  };

  postfix-bruteforce = {
    filter.Definition = {
      failregex = "warning: [\\w\\.\\-]+\\[<HOST>\\]: SASL LOGIN authentication failed.*$";
      journalmatch = "_SYSTEMD_UNIT=postfix.service";
    };

    settings = {
      findtime = 600;
      maxretry = 1;
    };
  };

  sshd-bruteforce = {
    filter.Definition = {
      failregex = "pam_unix\\(sshd:auth\\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ADDR>.*$";
      journalmatch = "_SYSTEMD_UNIT=sshd.service";
    };

    settings = {
      findtime = 600;
      maxretry = 1;
    };
  };

  sshd-preauth = {
    filter.Definition = {
      failregex = "Received disconnect from <ADDR> port .* Bye Bye \\[preauth\\]$";
      journalmatch = "_SYSTEMD_UNIT=sshd.service";
    };

    settings = {
      findtime = 600;
      maxretry = 1;
    };
  };

  sshd-timeout = {
    filter.Definition = {
      failregex = "fatal: Timeout before authentication for <ADDR>.*$";
      journalmatch = "_SYSTEMD_UNIT=sshd.service";
    };

    settings = {
      findtime = 600;
      maxretry = 1;
    };
  };
}