From f808f1b2fa13cdac318d32b7889e0e36ed9bf37e Mon Sep 17 00:00:00 2001 From: kat witch Date: Thu, 25 Feb 2021 06:43:08 +0000 Subject: [PATCH] fail2ban --- config/hosts/athame/asterisk.nix | 2 + config/hosts/athame/configuration.nix | 2 + config/hosts/athame/fail2ban.nix | 85 +++++++++++++++++++++++++++ config/hosts/athame/virtualhosts.nix | 4 +- 4 files changed, 90 insertions(+), 3 deletions(-) create mode 100644 config/hosts/athame/fail2ban.nix diff --git a/config/hosts/athame/asterisk.nix b/config/hosts/athame/asterisk.nix index e760359a..06bb46a2 100644 --- a/config/hosts/athame/asterisk.nix +++ b/config/hosts/athame/asterisk.nix @@ -127,8 +127,10 @@ in { ''; "logger.conf" = '' [general] + dateformat=%F %T [logfiles] ; Add debug output to log + messages => security, notice,warning,error syslog.local0 => notice,warning,error,debug ''; }; diff --git a/config/hosts/athame/configuration.nix b/config/hosts/athame/configuration.nix index eb68c2e9..6748bf64 100644 --- a/config/hosts/athame/configuration.nix +++ b/config/hosts/athame/configuration.nix @@ -8,6 +8,8 @@ # nginx ../../services/nginx.nix ./virtualhosts.nix + # security + ./fail2ban.nix # services ./mail.nix ./asterisk.nix diff --git a/config/hosts/athame/fail2ban.nix b/config/hosts/athame/fail2ban.nix new file mode 100644 index 00000000..73aaf0aa --- /dev/null +++ b/config/hosts/athame/fail2ban.nix @@ -0,0 +1,85 @@ +{ config, pkgs, ... }: + +{ + services.fail2ban = { + enable = true; + jails = { + DEFAULT = '' + bantime = 3600 + blocktype = DROP + logpath = /var/log/auth.log + ''; + asterisk = '' + enabled = true + filter = asterisk + action = iptables-allports[name=ASTERISK, protocol=all] + sendmail[name=ASTERISK, dest=kat@kittywit.ch, sender=fail2ban@localhost] + logpath = /var/log/asterisk/messages + maxretry = 4 + ''; + ssh = '' + enabled = true + filter = sshd + maxretry = 4 + action = iptables[name=SSH, port=ssh, protocol=tcp] + ''; + sshd-ddos = '' + enabled = true + filter = sshd-ddos + maxretry = 4 + action = iptables[name=ssh, port=ssh, protocol=tcp] + ''; + postfix = '' + enabled = true + filter = postfix + maxretry = 3 + action = iptables[name=postfix, port=smtp, protocol=tcp] + ''; + postfix-sasl = '' + enabled = true + filter = postfix-sasl + port = postfix,imap3,imaps,pop3,pop3s + maxretry = 3 + action = iptables[name=postfix, port=smtp, protocol=tcp] + ''; + postfix-ddos = '' + enabled = true + filter = postfix-ddos + maxretry = 3 + action = iptables[name=postfix, port=submission, protocol=tcp] + bantime = 7200 + ''; + }; + }; + + environment.etc."fail2ban/filter.d/postfix-sasl.conf" = { + enable = true; + text = '' + # Fail2Ban filter for postfix authentication failures + [INCLUDES] + before = common.conf + [Definition] + daemon = postfix/smtpd + failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ + ''; + }; + + environment.etc."fail2ban/filter.d/postfix-ddos.conf" = { + enable = true; + text = '' + [Definition] + failregex = lost connection after EHLO from \S+\[\] + ''; + }; + + environment.etc."fail2ban/filter.d/sshd-ddos.conf" = { + enable = true; + text = '' + [Definition] + failregex = sshd(?:\[\d+\])?: Did not receive identification string from $ + ignoreregex = + ''; + }; + + systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; +} diff --git a/config/hosts/athame/virtualhosts.nix b/config/hosts/athame/virtualhosts.nix index efd911d4..339aa8d9 100644 --- a/config/hosts/athame/virtualhosts.nix +++ b/config/hosts/athame/virtualhosts.nix @@ -30,9 +30,7 @@ in { ''; }; } // common; - "athame.kittywit.ch" = { - root = "/var/www/athame"; - } // common; + "athame.kittywit.ch" = { root = "/var/www/athame"; } // common; "vault.kittywit.ch" = { locations = { "/".proxyPass = "http://127.0.0.1:4000";