2025-02-07 15:02:40 +00:00
|
|
|
{pkgs, ...}: {
|
|
|
|
|
|
|
|
|
|
environment.systemPackages = [pkgs.fail2ban];
|
|
|
|
|
|
|
|
|
|
environment.etc = {
|
|
|
|
|
"fail2ban/filter.d/nginx-bruteforce.conf".text = ''
|
|
|
|
|
[Definition]
|
|
|
|
|
failregex = ^<HOST>.*(GET|POST).* (404|444|403|400) .*$
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.fail2ban = {
|
|
|
|
|
enable = true;
|
|
|
|
|
maxretry = 5;
|
|
|
|
|
ignoreIP = [
|
2025-03-02 23:07:58 +00:00
|
|
|
"86.173.148.116"
|
2025-02-07 15:02:40 +00:00
|
|
|
];
|
|
|
|
|
bantime-increment = {
|
|
|
|
|
enable = true;
|
|
|
|
|
multipliers = "1 2 4 8 16 32 64";
|
|
|
|
|
maxtime = "168h";
|
|
|
|
|
};
|
|
|
|
|
jails = {
|
|
|
|
|
nginx-spam.settings = {
|
|
|
|
|
filter = "nginx-bruteforce";
|
|
|
|
|
action = "iptables-allports";
|
|
|
|
|
logpath = "/var/log/nginx/access.log";
|
|
|
|
|
backend = "auto";
|
|
|
|
|
findtime = 600;
|
|
|
|
|
bantime = 600;
|
|
|
|
|
maxretry = 10;
|
|
|
|
|
};
|
2025-03-02 23:07:58 +00:00
|
|
|
nginx-botsearch.settings = {
|
|
|
|
|
filter = "nginx-botsearch";
|
|
|
|
|
action = "iptables-allports";
|
|
|
|
|
logpath = "/var/log/nginx/access.log";
|
|
|
|
|
backend = "auto";
|
|
|
|
|
findtime = 600;
|
|
|
|
|
bantime = 86400;
|
|
|
|
|
maxretry = 3;
|
|
|
|
|
};
|
2025-02-07 15:02:40 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
