gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

services/fail2ban: Moved to nftables, made it actually work

Browse source
This commit is contained in:
kat witch 2021-05-03 18:02:19 +01:00
parent b179cfe01b
commit aae5a7d250
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
2 changed files with 12 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

14
services/fail2ban.nix
View file

@ -3,23 +3,27 @@
{
services.fail2ban = {
enable = true;
packageFirewall = pkgs.nftables;
banaction="nftables-multiport";
banaction-allports = "nftables-allports";
jails = {
DEFAULT = ''
bantime = 1d
default = ''
bantime = 7d
blocktype = DROP
logpath = /var/log/auth.log
action = nftables-allports
logpath = /var/log/auth.log
'';
ssh = ''
enabled = true
filter = sshd
maxretry = 4
action = iptables[name=SSH, port=ssh, protocol=tcp]
action = nftables-multiport[name=SSH, port=ssh, protocol=tcp]
'';
sshd-ddos = ''
enabled = true
filter = sshd-ddos
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
action = nftables-multiport[name=ssh, port=ssh, protocol=tcp]
'';
};
};

6
services/mail.nix
View file

@ -10,20 +10,20 @@ with lib;
enabled = true
filter = postfix
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
action = nftables-multiport[name=postfix, port=smtp, protocol=tcp]
'';
postfix-sasl = ''
enabled = true
filter = postfix-sasl
port = postfix,imap3,imaps,pop3,pop3s
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
action = nftables-multiport[name=postfix, port=smtp, protocol=tcp]
'';
postfix-ddos = ''
enabled = true
filter = postfix-ddos
maxretry = 3
action = iptables[name=postfix, port=submission, protocol=tcp]
action = nftables-multiport[name=postfix, port=submission, protocol=tcp]
bantime = 7200
'';
};