nixos/profiles/services/fail2ban.nix

   1 { pkgs, lib, ... }:
   2 {
   3   services.fail2ban = {
   4     banaction = lib.mkDefault "nftables-multiport";
   5     banaction-allports = lib.mkDefault "nftables-allports";
   6     packageFirewall = lib.mkDefault pkgs.nftables;
   7     bantime-increment = {
   8       enable = true;
   9       factor = "1";
  10       formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
  11       maxtime = "1y";
  12       overalljails = false;
  13       rndtime = "";
  14     };
  15   };
  16   /*
  17     systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
  18   */
  19   services.openssh.settings.LogLevel = "VERBOSE";
  20   services.postgresql.logLinePrefix = "%h ";
  21   environment.etc."fail2ban/action.d/nftables-common.local".text = ''
  22     [Init]
  23     blocktype = drop
  24   '';
  25   environment.etc."fail2ban/filter.d/postgresql.local".text = ''
  26     [INCLUDES]
  27     before = common.conf
  28     [DEFAULT]
  29     _daemon = postgresql-start
  30     [Definition]
  31     journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
  32     prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
  33     failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
  34                 ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
  35                 ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
  36                 ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
  37     maxlines = 1
  38     #ignoreregex = duration:
  39   '';
  40 }