nix-dotfiles/modules/fail2ban.nix

{ config, lib, libS, ... }:

let cfg = config.services.fail2ban;
in {
  options = { services.fail2ban = { recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; }; };

  config.services.fail2ban = lib.mkIf cfg.recommendedDefaults {
    maxretry = 5;
    bantime = "24h";
    bantime-increment = {
      enable = true;
      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
      maxtime = "168h";
      overalljails = true;
    };

    jails = {
      apache-nohome-iptables.settings = {
        # Block an IP address if it accesses a non-existent
        # home directory more than 5 times in 10 minutes,
        # since that indicates that it's scanning.
        filter = "apache-nohome";
        action = ''iptables-multiport[name=HTTP, port="http,https"]'';
        logpath = "/var/log/httpd/error_log*";
        backend = "systemd";
        findtime = 600;
        bantime = 600;
        maxretry = 5;
      };

      dovecot = {
        settings = {
          filter = "dovecot[mode=aggressive]";
          maxretry = 3;
        };
      };
    };
  };
}
add fail2ban 2023-12-29 20:54:12 +01:00			`{ config, lib, libS, ... }:`

enable external SMTP for hydra (#49) * external SMTP for hydra Signed-off-by: ahuston-0 <aliceghuston@gmail.com> * nix-serve sops Signed-off-by: ahuston-0 <aliceghuston@gmail.com> * add binary cache * add hydra jobs * cleanup (#50) * finish up cleanup branch merge * switched back to nixpkgs-fmt * add nixpkgs-fmt to hydrajobs.build --------- Signed-off-by: ahuston-0 <aliceghuston@gmail.com> Co-authored-by: Dennis Wuitz <dennish@wuitz.de> Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com> 2024-02-01 16:50:14 -05:00			`let cfg = config.services.fail2ban;`
			`in {`
			`options = { services.fail2ban = { recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; }; };`
add fail2ban 2023-12-29 20:54:12 +01:00
			`config.services.fail2ban = lib.mkIf cfg.recommendedDefaults {`
			`maxretry = 5;`
			`bantime = "24h";`
			`bantime-increment = {`
			`enable = true;`
			`formula = "ban.Time * math.exp(float(ban.Count+1)banFactor)/math.exp(1banFactor)";`
			`maxtime = "168h";`
			`overalljails = true;`
			`};`

			`jails = {`
			`apache-nohome-iptables.settings = {`
			`# Block an IP address if it accesses a non-existent`
			`# home directory more than 5 times in 10 minutes,`
			`# since that indicates that it's scanning.`
			`filter = "apache-nohome";`
			`action = ''iptables-multiport[name=HTTP, port="http,https"]'';`
			`logpath = "/var/log/httpd/error_log*";`
add patch feature (#6) * add patch feature * refactor 2023-12-30 17:18:25 +01:00			`backend = "systemd";`
add fail2ban 2023-12-29 20:54:12 +01:00			`findtime = 600;`
Feature email server (#14) * formatting * update * add mailserver * flake update 2024-01-02 16:30:08 +01:00			`bantime = 600;`
add fail2ban 2023-12-29 20:54:12 +01:00			`maxretry = 5;`
			`};`
Feature email server (#14) * formatting * update * add mailserver * flake update 2024-01-02 16:30:08 +01:00
add fail2ban 2023-12-29 20:54:12 +01:00			`dovecot = {`
			`settings = {`
			`filter = "dovecot[mode=aggressive]";`
			`maxretry = 3;`
			`};`
			`};`
			`};`
			`};`
Feature email server (#14) * formatting * update * add mailserver * flake update 2024-01-02 16:30:08 +01:00			`}`