]> Git — Sourcephile - sourcephile-nix.git/blob - servers/losurdo/fail2ban.nix
nix: fix security.pass services
[sourcephile-nix.git] / servers / losurdo / fail2ban.nix
1 { pkgs, lib, config, servers, ... }:
2 {
3 services.sshd.logLevel = "VERBOSE";
4 services.postgresql.extraConfig = "log_line_prefix = '%h '";
5 services.fail2ban = {
6 enable = true;
7 banaction = "nftables-multiport";
8 banaction-allports = "nftables-allports";
9 bantime-increment = {
10 enable = true;
11 factor = "1";
12 formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
13 maxtime = "1y";
14 multipliers = "";
15 overalljails = false;
16 rndtime = "";
17 };
18 packageFirewall = pkgs.nftables;
19 ignoreIP = [
20 servers.mermet.ipv4
21 servers.losurdo.ipv4
22 "198.252.154.1" # wren.riseup.net
23 "90.78.73.73" # openconcerto user
24 ];
25 jails = {
26 DEFAULT = ''
27 '';
28 sshd = ''
29 enabled = true
30 bantime = 5m
31 findtime = 15d
32 maxretry = 1
33 mode = aggressive
34 '';
35 postgresql = ''
36 enabled = true
37 bantime = 1m
38 filter = postgresql
39 findtime = 15d
40 port = 5432
41 '';
42 };
43 };
44 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
45 [Init]
46 blocktype = drop
47 '';
48 environment.etc."fail2ban/filter.d/postgresql.local".text = ''
49 [INCLUDES]
50 before = common.conf
51 [DEFAULT]
52 _daemon = postgresql-start
53 [Definition]
54 journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
55 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
56 failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
57 ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
58 ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
59 ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
60 maxlines = 1
61 #ignoreregex = duration:
62 '';
63 }