treewide: Add fail2ban

This commit is contained in:
Tristan Daniël Maat 2022-10-14 01:11:15 +01:00
parent 325e8a0ea1
commit c4fa991b62
Signed by: tlater
GPG key ID: 49670FD774E43268
3 changed files with 63 additions and 0 deletions

View file

@ -84,5 +84,26 @@
acceptTerms = true; acceptTerms = true;
}; };
services.fail2ban = {
enable = true;
extraPackages = [pkgs.ipset];
banaction = "iptables-ipset-proto6-allports";
bantime-increment.enable = true;
jails = {
nginx-botsearch = ''
enabled = true
logpath = /var/log/nginx/access.log
'';
};
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
};
system.stateVersion = "20.09"; system.stateVersion = "20.09";
} }

View file

@ -28,4 +28,23 @@ in {
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}"; locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
}; };
# Block repeated failed login attempts
#
# TODO(tlater): Update to the new regex, since apparently this one
# is deprecated (but the new one doesn't work on the current version
# of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
environment.etc = {
"fail2ban/filter.d/gitea.conf".text = ''
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
'';
};
services.fail2ban.jails = {
gitea = ''
enabled = true
'';
};
} }

View file

@ -96,4 +96,27 @@ in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };
# Block repeated failed login attempts
environment.etc = {
"fail2ban/filter.d/nextcloud.conf".text = ''
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
'';
};
services.fail2ban.jails = {
nextcloud = ''
enabled = true
# Nextcloud does some throttling already, so we need to set
# these to something bigger.
findtime = 43200
bantime = 86400
'';
};
} }