pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / security / sshguard.nix
at 25.11-pre 6.0 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 cfg = config.services.sshguard; 9 10 configFile = 11 let 12 args = lib.concatStringsSep " " ( 13 [ 14 "-afb" 15 "-p info" 16 "-o cat" 17 "-n1" 18 ] 19 ++ (map (name: "-t ${lib.escapeShellArg name}") cfg.services) 20 ); 21 backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset"; 22 in 23 pkgs.writeText "sshguard.conf" '' 24 BACKEND="${pkgs.sshguard}/libexec/${backend}" 25 LOGREADER="LANG=C ${config.systemd.package}/bin/journalctl ${args}" 26 ''; 27 28in 29{ 30 31 ###### interface 32 33 options = { 34 35 services.sshguard = { 36 enable = lib.mkOption { 37 default = false; 38 type = lib.types.bool; 39 description = "Whether to enable the sshguard service."; 40 }; 41 42 attack_threshold = lib.mkOption { 43 default = 30; 44 type = lib.types.int; 45 description = '' 46 Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10. 47 ''; 48 }; 49 50 blacklist_threshold = lib.mkOption { 51 default = null; 52 example = 120; 53 type = lib.types.nullOr lib.types.int; 54 description = '' 55 Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. 56 ''; 57 }; 58 59 blacklist_file = lib.mkOption { 60 default = "/var/lib/sshguard/blacklist.db"; 61 type = lib.types.path; 62 description = '' 63 Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. 64 ''; 65 }; 66 67 blocktime = lib.mkOption { 68 default = 120; 69 type = lib.types.int; 70 description = '' 71 Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5. 72 73 sshguard unblocks attacks at random intervals, so actual block times will be longer. 74 ''; 75 }; 76 77 detection_time = lib.mkOption { 78 default = 1800; 79 type = lib.types.int; 80 description = '' 81 Remember potential attackers for up to detection_time seconds before resetting their score. 82 ''; 83 }; 84 85 whitelist = lib.mkOption { 86 default = [ ]; 87 example = [ 88 "198.51.100.56" 89 "198.51.100.2" 90 ]; 91 type = lib.types.listOf lib.types.str; 92 description = '' 93 Whitelist a list of addresses, hostnames, or address blocks. 94 ''; 95 }; 96 97 services = lib.mkOption { 98 default = [ "sshd" ]; 99 example = [ 100 "sshd" 101 "exim" 102 ]; 103 type = lib.types.listOf lib.types.str; 104 description = '' 105 Systemd services sshguard should receive logs of. 106 ''; 107 }; 108 }; 109 }; 110 111 ###### implementation 112 113 config = lib.mkIf cfg.enable { 114 115 environment.etc."sshguard.conf".source = configFile; 116 117 systemd.services.sshguard = { 118 description = "SSHGuard brute-force attacks protection system"; 119 120 wantedBy = [ "multi-user.target" ]; 121 after = [ "network.target" ]; 122 partOf = lib.optional config.networking.firewall.enable "firewall.service"; 123 124 restartTriggers = [ configFile ]; 125 126 path = 127 with pkgs; 128 if config.networking.nftables.enable then 129 [ 130 nftables 131 iproute2 132 systemd 133 ] 134 else 135 [ 136 iptables 137 ipset 138 iproute2 139 systemd 140 ]; 141 142 # The sshguard ipsets must exist before we invoke 143 # iptables. sshguard creates the ipsets after startup if 144 # necessary, but if we let sshguard do it, we can't reliably add 145 # the iptables rules because postStart races with the creation 146 # of the ipsets. So instead, we create both the ipsets and 147 # firewall rules before sshguard starts. 148 preStart = 149 lib.optionalString config.networking.firewall.enable '' 150 ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet 151 ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP 152 '' 153 + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' 154 ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 155 ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP 156 ''; 157 158 postStop = 159 lib.optionalString config.networking.firewall.enable '' 160 ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP 161 ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 162 '' 163 + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' 164 ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP 165 ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 166 ''; 167 168 unitConfig.Documentation = "man:sshguard(8)"; 169 170 serviceConfig = { 171 Type = "simple"; 172 ExecStart = 173 let 174 args = lib.concatStringsSep " " ( 175 [ 176 "-a ${toString cfg.attack_threshold}" 177 "-p ${toString cfg.blocktime}" 178 "-s ${toString cfg.detection_time}" 179 (lib.optionalString ( 180 cfg.blacklist_threshold != null 181 ) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}") 182 ] 183 ++ (map (name: "-w ${lib.escapeShellArg name}") cfg.whitelist) 184 ); 185 in 186 "${pkgs.sshguard}/bin/sshguard ${args}"; 187 Restart = "always"; 188 ProtectSystem = "strict"; 189 ProtectHome = "tmpfs"; 190 RuntimeDirectory = "sshguard"; 191 StateDirectory = "sshguard"; 192 CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; 193 }; 194 }; 195 }; 196}