treewide: Add fail2ban
This commit is contained in:
parent
325e8a0ea1
commit
c4fa991b62
|
@ -84,5 +84,26 @@
|
|||
acceptTerms = true;
|
||||
};
|
||||
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
extraPackages = [pkgs.ipset];
|
||||
banaction = "iptables-ipset-proto6-allports";
|
||||
bantime-increment.enable = true;
|
||||
|
||||
jails = {
|
||||
nginx-botsearch = ''
|
||||
enabled = true
|
||||
logpath = /var/log/nginx/access.log
|
||||
'';
|
||||
};
|
||||
|
||||
ignoreIP = [
|
||||
"127.0.0.0/8"
|
||||
"10.0.0.0/8"
|
||||
"172.16.0.0/12"
|
||||
"192.168.0.0/16"
|
||||
];
|
||||
};
|
||||
|
||||
system.stateVersion = "20.09";
|
||||
}
|
||||
|
|
|
@ -28,4 +28,23 @@ in {
|
|||
|
||||
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
||||
};
|
||||
|
||||
# Block repeated failed login attempts
|
||||
#
|
||||
# TODO(tlater): Update to the new regex, since apparently this one
|
||||
# is deprecated (but the new one doesn't work on the current version
|
||||
# of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/gitea.conf".text = ''
|
||||
[Definition]
|
||||
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
||||
journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
|
||||
'';
|
||||
};
|
||||
|
||||
services.fail2ban.jails = {
|
||||
gitea = ''
|
||||
enabled = true
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -96,4 +96,27 @@ in {
|
|||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
|
||||
# Block repeated failed login attempts
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/nextcloud.conf".text = ''
|
||||
[Definition]
|
||||
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
|
||||
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
|
||||
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
|
||||
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
|
||||
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
|
||||
'';
|
||||
};
|
||||
|
||||
services.fail2ban.jails = {
|
||||
nextcloud = ''
|
||||
enabled = true
|
||||
|
||||
# Nextcloud does some throttling already, so we need to set
|
||||
# these to something bigger.
|
||||
findtime = 43200
|
||||
bantime = 86400
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue