]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/fail2ban.nix
losurdo: openvpn-calyx: cleanup
[sourcephile-nix.git] / hosts / losurdo / fail2ban.nix
1 { pkgs, hosts, ... }:
2 {
3 services.openssh.settings.LogLevel = "VERBOSE";
4 services.postgresql.logLinePrefix = "%h ";
5 /*
6 systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
7 */
8 services.fail2ban = {
9 enable = true;
10 banaction = "nftables-multiport";
11 banaction-allports = "nftables-allports";
12 bantime-increment = {
13 enable = true;
14 factor = "1";
15 formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
16 maxtime = "1y";
17 overalljails = false;
18 rndtime = "";
19 };
20 packageFirewall = pkgs.nftables;
21 ignoreIP = [
22 #"0.0.0.0/8"
23 #"10.0.0.0/8"
24 "127.0.0.0/8"
25 #"169.254.0.0/16"
26 #"172.16.0.0/12"
27 #"192.0.2.0/24"
28 "192.168.0.0/16"
29 #"224.0.0.0/3"
30 #"240.0.0.0/5"
31 hosts.mermet._module.args.ipv4
32 "losurdo.sourcephile.fr"
33 ];
34 jails = {
35 sshd.settings = {
36 enabled = true;
37 bantime = "5m";
38 findtime = "1d";
39 maxretry = "1";
40 mode = "aggressive";
41 };
42 postgresql.settings = {
43 enabled = true;
44 bantime = "1m";
45 filter = "postgresql";
46 findtime = "1d";
47 port = 5432;
48 };
49 };
50 };
51 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
52 [Init]
53 blocktype = drop
54 '';
55 environment.etc."fail2ban/filter.d/postgresql.local".text = ''
56 [INCLUDES]
57 before = common.conf
58 [DEFAULT]
59 _daemon = postgresql-start
60 [Definition]
61 journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
62 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
63 failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
64 ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
65 ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
66 ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
67 maxlines = 1
68 #ignoreregex = duration:
69 '';
70 }