treewide: Add fail2ban

2022-10-14 01:11:15 +01:00 · 2022-10-14 01:11:15 +01:00 · c4fa991b62
commit c4fa991b62
parent 325e8a0ea1
3 changed files with 63 additions and 0 deletions
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -96,4 +96,27 @@ in {
    forceSSL = true;
    enableACME = true;
  };
+
+  # Block repeated failed login attempts
+  environment.etc = {
+    "fail2ban/filter.d/nextcloud.conf".text = ''
+      [Definition]
+      _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+      failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+                  \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+      datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+      journalmatch = SYSLOG_IDENTIFIER=Nextcloud
+    '';
+  };
+
+  services.fail2ban.jails = {
+    nextcloud = ''
+      enabled = true
+
+      # Nextcloud does some throttling already, so we need to set
+      # these to something bigger.
+      findtime = 43200
+      bantime = 86400
+    '';
+  };
 }