mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-10 04:49:19 -08:00
41 lines
999 B
Nix
41 lines
999 B
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
services.fail2ban = {
|
|
enable = true;
|
|
packageFirewall = pkgs.nftables;
|
|
banaction = "nftables-multiport";
|
|
banaction-allports = "nftables-allports";
|
|
jails = {
|
|
default = ''
|
|
bantime = 7d
|
|
blocktype = DROP
|
|
action = nftables-allports
|
|
logpath = /var/log/auth.log
|
|
'';
|
|
ssh = ''
|
|
enabled = true
|
|
filter = sshd
|
|
maxretry = 4
|
|
action = nftables-multiport[name=SSH, port=ssh, protocol=tcp]
|
|
'';
|
|
sshd-ddos = ''
|
|
enabled = true
|
|
filter = sshd-ddos
|
|
maxretry = 4
|
|
action = nftables-multiport[name=ssh, port=ssh, protocol=tcp]
|
|
'';
|
|
};
|
|
};
|
|
|
|
environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
|
|
enable = true;
|
|
text = ''
|
|
[Definition]
|
|
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
|
|
ignoreregex =
|
|
'';
|
|
};
|
|
|
|
systemd.services.fail2ban.serviceConfig.LimitSTACK = 128 * 1024;
|
|
}
|