From aae5a7d250359578a4f2d917985584406d6ff230 Mon Sep 17 00:00:00 2001 From: kat witch Date: Mon, 3 May 2021 18:02:19 +0100 Subject: [PATCH] services/fail2ban: Moved to nftables, made it actually work --- services/fail2ban.nix | 14 +++++++++----- services/mail.nix | 6 +++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/services/fail2ban.nix b/services/fail2ban.nix index 20551c16..b24e6942 100644 --- a/services/fail2ban.nix +++ b/services/fail2ban.nix @@ -3,23 +3,27 @@ { services.fail2ban = { enable = true; + packageFirewall = pkgs.nftables; + banaction="nftables-multiport"; + banaction-allports = "nftables-allports"; jails = { - DEFAULT = '' - bantime = 1d + default = '' + bantime = 7d blocktype = DROP - logpath = /var/log/auth.log + action = nftables-allports + logpath = /var/log/auth.log ''; ssh = '' enabled = true filter = sshd maxretry = 4 - action = iptables[name=SSH, port=ssh, protocol=tcp] + action = nftables-multiport[name=SSH, port=ssh, protocol=tcp] ''; sshd-ddos = '' enabled = true filter = sshd-ddos maxretry = 4 - action = iptables[name=ssh, port=ssh, protocol=tcp] + action = nftables-multiport[name=ssh, port=ssh, protocol=tcp] ''; }; }; diff --git a/services/mail.nix b/services/mail.nix index 568f66ae..ac0e7312 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -10,20 +10,20 @@ with lib; enabled = true filter = postfix maxretry = 3 - action = iptables[name=postfix, port=smtp, protocol=tcp] + action = nftables-multiport[name=postfix, port=smtp, protocol=tcp] ''; postfix-sasl = '' enabled = true filter = postfix-sasl port = postfix,imap3,imaps,pop3,pop3s maxretry = 3 - action = iptables[name=postfix, port=smtp, protocol=tcp] + action = nftables-multiport[name=postfix, port=smtp, protocol=tcp] ''; postfix-ddos = '' enabled = true filter = postfix-ddos maxretry = 3 - action = iptables[name=postfix, port=submission, protocol=tcp] + action = nftables-multiport[name=postfix, port=submission, protocol=tcp] bantime = 7200 ''; };