treewide: Add fail2ban #63
3 changed files with 63 additions and 0 deletions
|
|
@ -84,5 +84,26 @@
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.fail2ban = {
|
||||||
|
enable = true;
|
||||||
|
extraPackages = [pkgs.ipset];
|
||||||
|
banaction = "iptables-ipset-proto6-allports";
|
||||||
|
bantime-increment.enable = true;
|
||||||
|
|
||||||
|
jails = {
|
||||||
|
nginx-botsearch = ''
|
||||||
|
enabled = true
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
ignoreIP = [
|
||||||
|
"127.0.0.0/8"
|
||||||
|
"10.0.0.0/8"
|
||||||
|
"172.16.0.0/12"
|
||||||
|
"192.168.0.0/16"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
system.stateVersion = "20.09";
|
system.stateVersion = "20.09";
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -28,4 +28,23 @@ in {
|
||||||
|
|
||||||
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Block repeated failed login attempts
|
||||||
|
#
|
||||||
|
# TODO(tlater): Update to the new regex, since apparently this one
|
||||||
|
# is deprecated (but the new one doesn't work on the current version
|
||||||
|
# of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
|
||||||
|
environment.etc = {
|
||||||
|
"fail2ban/filter.d/gitea.conf".text = ''
|
||||||
|
[Definition]
|
||||||
|
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
||||||
|
journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.fail2ban.jails = {
|
||||||
|
gitea = ''
|
||||||
|
enabled = true
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -96,4 +96,27 @@ in {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Block repeated failed login attempts
|
||||||
|
environment.etc = {
|
||||||
|
"fail2ban/filter.d/nextcloud.conf".text = ''
|
||||||
|
[Definition]
|
||||||
|
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
|
||||||
|
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
|
||||||
|
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
|
||||||
|
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
|
||||||
|
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.fail2ban.jails = {
|
||||||
|
nextcloud = ''
|
||||||
|
enabled = true
|
||||||
|
|
||||||
|
# Nextcloud does some throttling already, so we need to set
|
||||||
|
# these to something bigger.
|
||||||
|
findtime = 43200
|
||||||
|
bantime = 86400
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue