commit 996fcae23298c73af6e4260daafd5c4a9b4fbaa7 · nekomimi.pet/nixcfg

+31

hosts/baal/default.nix

···

       33
       33
        
           networkmanager.enable = true;

     

       34
       34
        
         };

     

       35
       35
        
       

     

       36
       36
       +
           services.fail2ban = {

     

       37
       37
       +
           enable = true;

     

       38
       38
       +
           # Ban IP after 5 failures

     

       39
       39
       +
           maxretry = 5;

     

       40
       40
       +
           ignoreIP = [

     

       41
       41
       +
             "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10"

     

       42
       42
       +
           ];

     

       43
       43
       +
           bantime = "24h"; # Ban IPs for one day on the first ban

     

       44
       44
       +
           bantime-increment = {

     

       45
       45
       +
             enable = true; # Enable increment of bantime after each violation

     

       46
       46
       +
             formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";

     

       47
       47
       +
             multipliers = "1 2 4 8 16 32 64";

     

       48
       48
       +
             maxtime = "168h"; # Do not ban for more than 1 week

     

       49
       49
       +
             overalljails = true; # Calculate the bantime based on all the violations

     

       50
       50
       +
           };

     

       51
       51
       +
           jails = {

     

       52
       52
       +
             apache-nohome-iptables.settings = {

     

       53
       53
       +
               # Block an IP address if it accesses a non-existent

     

       54
       54
       +
               # home directory more than 5 times in 10 minutes,

     

       55
       55
       +
               # since that indicates that it's scanning.

     

       56
       56
       +
               filter = "apache-nohome";

     

       57
       57
       +
               action = ''iptables-multiport[name=HTTP, port="http,https"]'';

     

       58
       58
       +
               logpath = "/var/log/httpd/error_log*";

     

       59
       59
       +
               backend = "auto";

     

       60
       60
       +
               findtime = 600;

     

       61
       61
       +
               bantime  = 600;

     

       62
       62
       +
               maxretry = 5;

     

       63
       63
       +
             };

     

       64
       64
       +
           };

     

       65
       65
       +
         };

     

       66
       66
       +
       

     

       36
       67
        
         virtualisation.docker = {

     

       37
       68
        
           enable = true;

     

       38
       69
        
           enableOnBoot = true;

+31

hosts/buer/default.nix

···

       66
       66
        
           useDHCP = false;

     

       67
       67
        
         };

     

       68
       68
        
       

     

       69
       69
       +
           services.fail2ban = {

     

       70
       70
       +
           enable = true;

     

       71
       71
       +
           # Ban IP after 5 failures

     

       72
       72
       +
           maxretry = 5;

     

       73
       73
       +
           ignoreIP = [

     

       74
       74
       +
             "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10"

     

       75
       75
       +
           ];

     

       76
       76
       +
           bantime = "24h"; # Ban IPs for one day on the first ban

     

       77
       77
       +
           bantime-increment = {

     

       78
       78
       +
             enable = true; # Enable increment of bantime after each violation

     

       79
       79
       +
             formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";

     

       80
       80
       +
             multipliers = "1 2 4 8 16 32 64";

     

       81
       81
       +
             maxtime = "168h"; # Do not ban for more than 1 week

     

       82
       82
       +
             overalljails = true; # Calculate the bantime based on all the violations

     

       83
       83
       +
           };

     

       84
       84
       +
           jails = {

     

       85
       85
       +
             apache-nohome-iptables.settings = {

     

       86
       86
       +
               # Block an IP address if it accesses a non-existent

     

       87
       87
       +
               # home directory more than 5 times in 10 minutes,

     

       88
       88
       +
               # since that indicates that it's scanning.

     

       89
       89
       +
               filter = "apache-nohome";

     

       90
       90
       +
               action = ''iptables-multiport[name=HTTP, port="http,https"]'';

     

       91
       91
       +
               logpath = "/var/log/httpd/error_log*";

     

       92
       92
       +
               backend = "auto";

     

       93
       93
       +
               findtime = 600;

     

       94
       94
       +
               bantime  = 600;

     

       95
       95
       +
               maxretry = 5;

     

       96
       96
       +
             };

     

       97
       97
       +
           };

     

       98
       98
       +
         };

     

       99
       99
       +
       

     

       69
       100
        
         # Static IP configuration via systemd-networkd

     

       70
       101
        
         systemd.network = {

     

       71
       102
        
           enable = true;

+31

hosts/valefar/default.nix

···

       262
       262
        
           };

     

       263
       263
        
         };

     

       264
       264
        
       

     

       265
       265
       +
         services.fail2ban = {

     

       266
       266
       +
           enable = true;

     

       267
       267
       +
           # Ban IP after 5 failures

     

       268
       268
       +
           maxretry = 5;

     

       269
       269
       +
           ignoreIP = [

     

       270
       270
       +
             "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10"

     

       271
       271
       +
           ];

     

       272
       272
       +
           bantime = "24h"; # Ban IPs for one day on the first ban

     

       273
       273
       +
           bantime-increment = {

     

       274
       274
       +
             enable = true; # Enable increment of bantime after each violation

     

       275
       275
       +
             formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";

     

       276
       276
       +
             multipliers = "1 2 4 8 16 32 64";

     

       277
       277
       +
             maxtime = "168h"; # Do not ban for more than 1 week

     

       278
       278
       +
             overalljails = true; # Calculate the bantime based on all the violations

     

       279
       279
       +
           };

     

       280
       280
       +
           jails = {

     

       281
       281
       +
             apache-nohome-iptables.settings = {

     

       282
       282
       +
               # Block an IP address if it accesses a non-existent

     

       283
       283
       +
               # home directory more than 5 times in 10 minutes,

     

       284
       284
       +
               # since that indicates that it's scanning.

     

       285
       285
       +
               filter = "apache-nohome";

     

       286
       286
       +
               action = ''iptables-multiport[name=HTTP, port="http,https"]'';

     

       287
       287
       +
               logpath = "/var/log/httpd/error_log*";

     

       288
       288
       +
               backend = "auto";

     

       289
       289
       +
               findtime = 600;

     

       290
       290
       +
               bantime  = 600;

     

       291
       291
       +
               maxretry = 5;

     

       292
       292
       +
             };

     

       293
       293
       +
           };

     

       294
       294
       +
         };

     

       295
       295
       +
       

     

       265
       296
        
         # =============================================================================

     

       266
       297
        
         # PACKAGES

     

       267
       298
        
         # =============================================================================