From 27a7b0056525855669caf484fbb9a4de35eccea9 Mon Sep 17 00:00:00 2001
From: Sam <samual.shop@proton.me>
Date: Fri, 7 Feb 2025 15:02:40 +0000
Subject: [PATCH] setup fail2ban

---
 hosts/common/optional/fail2ban.nix | 34 ++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 hosts/common/optional/fail2ban.nix

diff --git a/hosts/common/optional/fail2ban.nix b/hosts/common/optional/fail2ban.nix
new file mode 100644
index 0000000..5811fcc
--- /dev/null
+++ b/hosts/common/optional/fail2ban.nix
@@ -0,0 +1,34 @@
+{pkgs, ...}: {
+
+  environment.systemPackages = [pkgs.fail2ban];
+
+  environment.etc = {
+    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*(GET|POST).* (404|444|403|400) .*$
+    '';
+  };
+
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+    ];
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "168h";
+    };
+    jails = {
+      nginx-spam.settings = {
+        filter = "nginx-bruteforce";
+        action = "iptables-allports";
+        logpath = "/var/log/nginx/access.log";
+        backend = "auto";
+        findtime = 600;
+        bantime = 600;
+        maxretry = 10;
+      };
+    };
+  };
+}