{ pkgs, lib, config, ... }: { services.fail2ban = { enable = true; bantime = "24h"; bantime-increment = { enable = true; formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(banFactor)"; maxtime = "6969h"; overalljails = true; }; jails = { dovecot = lib.mkIf config.services.dovecot2.enable { settings = { # block IPs which failed to log-in # aggressive mode add blocking for aborted connections filter = "dovecot[mode=aggressive]"; maxretry = 3; }; }; jellyfin = lib.mkIf config.services.jellyfin.enable { settings = { filter = "jellyfin"; backend = "systemd"; enabled = true; port = "80,443"; maxretry = 8; bantime = "24h"; findtime = "30m"; journalmatch = "_SYSTEMD_UNIT=jellyfin.service"; # logpath = "/var/lib/jellyfin/log/*.log"; }; }; forgejo = lib.mkIf config.services.forgejo.enable { settings = { filter = "forgejo"; backend = "systemd"; enabled = true; port = "80,443"; maxretry = 8; bantime = "24h"; findtime = "30m"; journalmatch = "_SYSTEMD_UNIT=forgejo.service"; # logpath = "/var/lib/forgejo/log/*.log"; }; }; }; }; environment.etc = { # Jellyfin "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' [Definition] failregex = ^.*Authentication request for .* has been denied \(IP: \)\. ''); # Forgejo "fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' [Definition] failregex = ^.*Failed authentication attempt for .* from .*$ ''); # Defines a filter that detects URL probing by reading the Nginx access log "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' [Definition] failregex = ^.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2}) ''); }; }