palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add moar fail2ban rules

Browse source
This commit is contained in:
Ingolf Wagner 2024-06-16 00:13:07 +02:00
parent 49b5665f77
commit 3dc427c467
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
1 changed files with 16 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
components/network/fail2ban.nix
View file

@ -19,19 +19,33 @@ with lib;
# -------------------- # --------------------
# https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
(mkIf config.components.network.fail2ban.enable { (mkIf config.components.network.fail2ban.enable {
services.fail2ban.jails.nginx-git-ingolf-wagner-de.settings = { services.fail2ban.jails.nginx-git-not-found.settings = {
port = "http,https"; port = "http,https";
logpath = "%(nginx_error_log)s"; logpath = "%(nginx_error_log)s";
}; };
environment.etc = { environment.etc = {
# Defines a filter that detects URL probing by reading the Nginx access log # Defines a filter that detects URL probing by reading the Nginx access log
"fail2ban/filter.d/nginx-git-ingolf-wagner-de.local".text = '' "fail2ban/filter.d/nginx-git-not-found.local".text = ''
[Definition] [Definition]
failregex = src_addr="<HOST>".*response_statu="404".*host="git\.ingolf-wagner\.de" failregex = src_addr="<HOST>".*response_statu="404".*host="git\.ingolf-wagner\.de"
journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
''; '';
}; };
}) })
(mkIf config.components.network.fail2ban.enable {
services.fail2ban.jails.nginx-git-bad-request.settings = {
port = "http,https";
logpath = "%(nginx_error_log)s";
};
environment.etc = {
# Defines a filter that detects URL probing by reading the Nginx access log
"fail2ban/filter.d/nginx-git-bad-request.local".text = ''
[Definition]
failregex = src_addr="<HOST>".*response_statu="400".*host="git\.ingolf-wagner\.de"
journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
'';
};
})
]; ];