pyrox.dev
1{ pkgs, ... }:
2{
3 name = "fail2ban";
4
5 nodes.machine = _: {
6 services.fail2ban = {
7 enable = true;
8 bantime-increment.enable = true;
9 };
10 services.openssh.enable = true;
11 networking.nftables.enable = true;
12 };
13
14 nodes.client = _: {
15 environment.systemPackages = [
16 pkgs.sshpass
17 pkgs.libressl.nc
18 ];
19
20 };
21
22 testScript = ''
23 start_all()
24
25 # Wait for everything to be ready.
26 machine.wait_for_unit("multi-user.target")
27 machine.wait_for_unit("fail2ban")
28 machine.wait_for_unit("sshd")
29 client.wait_for_unit("multi-user.target")
30
31 client_addr = "2001:db8:1::1"
32 machine_addr = "2001:db8:1::2"
33
34 # Verify there is not ban and the port is reachable from the client.
35 machine.succeed(f"test 0 -eq $(fail2ban-client get sshd banned {client_addr})")
36 client.succeed(f"nc -w3 -z {machine_addr} 22")
37
38 # Cause authentication failure log entries.
39 for _ in range(2):
40 client.fail(f"sshpass -p 'wrongpassword' ssh -o StrictHostKeyChecking=no {machine_addr}")
41
42 # Verify there is a ban and the port is unreachable from the client.
43 machine.wait_until_succeeds(f"test 1 -eq $(fail2ban-client get sshd banned {client_addr})")
44 client.fail(f"nc -w3 -z {machine_addr} 22")
45 '';
46}