setup fail2ban

2025-02-07 15:02:40 +00:00 · 2025-02-07 15:02:40 +00:00 · 27a7b00565
commit 27a7b00565
parent 7c8a6a0d09
1 changed files with 34 additions and 0 deletions
--- a/hosts/common/optional/fail2ban.nix
+++ b/hosts/common/optional/fail2ban.nix
@ -0,0 +1,34 @@
+{pkgs, ...}: {
+
+  environment.systemPackages = [pkgs.fail2ban];
+
+  environment.etc = {
+    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*(GET|POST).* (404|444|403|400) .*$
+    '';
+  };
+
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+    ];
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "168h";
+    };
+    jails = {
+      nginx-spam.settings = {
+        filter = "nginx-bruteforce";
+        action = "iptables-allports";
+        logpath = "/var/log/nginx/access.log";
+        backend = "auto";
+        findtime = 600;
+        bantime = 600;
+        maxretry = 10;
+      };
+    };
+  };
+}