From 470c8d32c712c7fa49ee360b22bda642b4f6052e Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Sat, 15 Jun 2024 01:17:53 +0200 Subject: [PATCH] enable fail2ban instead of sshguard --- components/network/default.nix | 1 + components/network/fail2ban.nix | 31 +++++++++++++++++++++++++++++++ machines/orbi/configuration.nix | 3 +++ 3 files changed, 35 insertions(+) create mode 100644 components/network/fail2ban.nix diff --git a/components/network/default.nix b/components/network/default.nix index fd452b9..4a0ba8c 100644 --- a/components/network/default.nix +++ b/components/network/default.nix @@ -11,6 +11,7 @@ with types; imports = [ #./avahi.nix + ./fail2ban.nix ./hosts.nix ./nginx.nix ./sshd diff --git a/components/network/fail2ban.nix b/components/network/fail2ban.nix new file mode 100644 index 0000000..0b4b671 --- /dev/null +++ b/components/network/fail2ban.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: +with lib; +{ + options.components.network.fail2ban.enable = mkOption { + type = lib.types.bool; + default = false; + }; + + config = mkIf (config.components.network.fail2ban.enable) { + + environment.systemPackages = [ pkgs.fail2ban ]; + + services.fail2ban = { + enable = true; + # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf + jails = { + # fixme: can't use, because I changed the nginx log format + #nginx-bad-request.settings = { + # port = "http,https"; + # logpath = "%(nginx_error_log)s"; + #}; + # fixme: can't use, because I changed the nginx log format + #nginx-botsearch.settings = { + # port = "http,https"; + # logpath = "%(nginx_error_log)s"; + #}; + }; + }; + + }; +} diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix index 78f80f8..8e57b30 100644 --- a/machines/orbi/configuration.nix +++ b/machines/orbi/configuration.nix @@ -41,6 +41,9 @@ components.network.nginx.landingpage.enable = false; components.network.wifi.enable = false; + components.network.fail2ban.enable = true; # fixme: not really working at the moment + components.network.sshd.sshguard.enable = false; + components.monitor.enable = true; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];