fail2ban

2026-02-09 12:29:19 -08:00 · 2021-02-25 06:43:08 +00:00 · 2021-02-25 06:43:08 +00:00 · f808f1b2fa
commit f808f1b2fa
parent 1b8bad256d
4 changed files with 90 additions and 3 deletions
--- a/config/hosts/athame/asterisk.nix
+++ b/config/hosts/athame/asterisk.nix
@ -127,8 +127,10 @@ in {
      '';
      "logger.conf" = ''
        [general]
+        dateformat=%F %T
        [logfiles]
        ; Add debug output to log
+        messages => security, notice,warning,error 
        syslog.local0 => notice,warning,error,debug
      '';
    };
--- a/config/hosts/athame/configuration.nix
+++ b/config/hosts/athame/configuration.nix
@ -8,6 +8,8 @@
    # nginx
    ../../services/nginx.nix
    ./virtualhosts.nix
+    # security
+    ./fail2ban.nix
    # services
    ./mail.nix
    ./asterisk.nix
--- a/config/hosts/athame/fail2ban.nix
+++ b/config/hosts/athame/fail2ban.nix
@ -0,0 +1,85 @@
+{ config, pkgs, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      DEFAULT = ''
+        bantime  = 3600
+        blocktype = DROP
+        logpath  = /var/log/auth.log
+      '';
+      asterisk = ''
+        enabled  = true
+        filter   = asterisk
+        action   = iptables-allports[name=ASTERISK, protocol=all]
+                    sendmail[name=ASTERISK, dest=kat@kittywit.ch, sender=fail2ban@localhost]
+        logpath  = /var/log/asterisk/messages
+        maxretry = 4
+      '';
+      ssh = ''
+        enabled = true
+        filter = sshd
+        maxretry = 4
+        action = iptables[name=SSH, port=ssh, protocol=tcp]
+      '';
+      sshd-ddos = ''
+        enabled  = true
+        filter = sshd-ddos
+        maxretry = 4
+        action   = iptables[name=ssh, port=ssh, protocol=tcp]
+      '';
+      postfix = ''
+        enabled  = true
+        filter   = postfix
+        maxretry = 3
+        action   = iptables[name=postfix, port=smtp, protocol=tcp]
+      '';
+      postfix-sasl = ''
+        enabled  = true
+        filter   = postfix-sasl
+        port     = postfix,imap3,imaps,pop3,pop3s
+        maxretry = 3
+        action   = iptables[name=postfix, port=smtp, protocol=tcp]
+      '';
+      postfix-ddos = ''
+        enabled  = true
+        filter   = postfix-ddos
+        maxretry = 3
+        action   = iptables[name=postfix, port=submission, protocol=tcp]
+        bantime  = 7200
+      '';
+    };
+  };
+
+  environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
+    enable = true;
+    text = ''
+      # Fail2Ban filter for postfix authentication failures
+      [INCLUDES]
+      before = common.conf
+      [Definition]
+      daemon = postfix/smtpd
+      failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
+    '';
+  };
+
+  environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
+    enable = true;
+    text = ''
+      [Definition]
+      failregex = lost connection after EHLO from \S+\[<HOST>\]
+    '';
+  };
+
+  environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
+    enable = true;
+    text = ''
+      [Definition]
+      failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
+      ignoreregex =
+    '';
+  };
+
+  systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
+}
--- a/config/hosts/athame/virtualhosts.nix
+++ b/config/hosts/athame/virtualhosts.nix
@ -30,9 +30,7 @@ in {
        '';
      };
    } // common;
-    "athame.kittywit.ch" = {
-      root = "/var/www/athame";
-    } // common;
+    "athame.kittywit.ch" = { root = "/var/www/athame"; } // common;
    "vault.kittywit.ch" = {
      locations = {
        "/".proxyPass = "http://127.0.0.1:4000";