spoody/server-configuration
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
server-configuration/services/fail2ban.nix
baritone bca28a54e5 i put vaultwarden in the wrong spot lmao
2025-03-27 15:43:38 +01:00

121 lines
3.6 KiB
Nix
Executable file
Raw Permalink Blame History

{
pkgs,
lib,
config,
...
}: {
services.fail2ban = {
enable = true;
bantime = "24h";
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(banFactor)";
maxtime = "6969h";
overalljails = true;
};
jails = {
dovecot = lib.mkIf config.services.dovecot2.enable {
settings = {
# block IPs which failed to log-in
# aggressive mode add blocking for aborted connections
filter = "dovecot[mode=aggressive]";
maxretry = 3;
};
};
jellyfin = lib.mkIf config.services.jellyfin.enable {
settings = {
filter = "jellyfin";
backend = "systemd";
enabled = true;
port = "80,443";
maxretry = 8;
bantime = "24h";
findtime = "30m";
journalmatch = "_SYSTEMD_UNIT=jellyfin.service";
};
};
forgejo = lib.mkIf config.services.forgejo.enable {
settings = {
filter = "forgejo";
backend = "systemd";
enabled = true;
port = "80,443";
maxretry = 8;
bantime = "24h";
findtime = "30m";
journalmatch = "_SYSTEMD_UNIT=forgejo.service";
};
};
sonarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) {
settings = {
filter = "arr";
backend = "auto";
enabled = true;
port = "80,443";
maxretry = 8;
bantime = "24h";
findtime = "30m";
logpath = "/var/lib/auto-torrent/sonarr/logs/*.txt";
};
};
radarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) {
settings = {
filter = "arr";
backend = "auto";
enabled = true;
port = "80,443";
maxretry = 8;
bantime = "24h";
findtime = "30m";
logpath = "/var/lib/auto-torrent/radarr/logs/*.txt";
};
};
vaultwarden = lib.mkIf config.services.vaultwarden.enable {
settings = {
filter = "vaultwarden";
backend = "systemd";
enabled = true;
port = "80,443";
maxretry = 8;
bantime = "24h";
findtime = "30m";
journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
};
};
};
};
environment.etc = {
# Jellyfin
"fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ^.*Authentication request for .* has been denied \(IP: <ADDR>\)\.
'');
# Forgejo
"fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ^.*Failed authentication attempt for .* from <ADDR>.*$
'');
# *arr
"fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ^.*Auth-Failure ip <ADDR> username.*$
'');
# Vaultwarden
"fail2ban/filter.d/vaultwarden.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ^.*Username or password is incorrect. Try again. IP: <ADDR>\. Username: .*$
'');
# Defines a filter that detects URL probing by reading the Nginx access log
"fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
'');
};
}
Reference in a new issue View git blame Copy permalink