sapphic.moe / flake
❄️ Dotfiles for our NixOS system configuration.
fork atom

chore(services:fail2ban): test change(?)

Chloe 1eb37d0a 2caa68f9

options
unified split
Changed files
+15 -13
services
fail2ban
default.nix
+15 -13
services/fail2ban/default.nix 
···

       
49

       
49

       
 

       
        maxretry = 5;


     

       
50

       
50

       
 

       
        findtime = "3600";


     

       
51

       
51

       
 

       
        bantime = "86400";


     

       
52

       

       
-

       
        action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='18,22', abuseipdb_comment='Fail2Ban SSH Brute Force']";


     

       

       
52

       
+

       
        action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb[abuseipdb_apikey='$(cat /run/agenix/abuseipdb)', abuseipdb_category='18,22']";


     

       
53

       
53

       
 

       
      };


     

       
54

       
54

       
 

       



     

       
55

       
55

       
 

       
      # Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors


     
···

       
62

       
62

       
 

       
        maxretry = 10;


     

       
63

       
63

       
 

       
        findtime = "600";


     

       
64

       
64

       
 

       
        bantime = "3600";


     

       
65

       

       
-

       
        action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Caddy Abuse']";


     

       

       
65

       
+

       
        action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb[abuseipdb_apikey='$(cat /run/agenix/abuseipdb)', abuseipdb_category='21']";


     

       
66

       
66

       
 

       
      };


     

       
67

       
67

       
 

       



     

       
68

       
68

       
 

       
      # Rate-based protection - ban on excessive requests


     
···

       
75

       
75

       
 

       
        maxretry = 50;


     

       
76

       
76

       
 

       
        findtime = "60";


     

       
77

       
77

       
 

       
        bantime = "1800";


     

       
78

       

       
-

       
        action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Rate Limiting']";


     

       

       
78

       
+

       
        action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb[abuseipdb_apikey='$(cat /run/agenix/abuseipdb)', abuseipdb_category='21']";


     

       
79

       
79

       
 

       
      };


     

       
80

       
80

       
 

       
    };


     

       
81

       
81

       
 

       
  };


     
···

       
83

       
83

       
 

       
  # Custom filters and actions for Fail2Ban


     

       
84

       
84

       
 

       
  environment.etc =


     

       
85

       
85

       
 

       
    let


     

       
86

       

       
-

       
      abuseipdbAction = pkgs.writeText "abuseipdb.conf" ''


     

       

       
86

       
+

       
      abuseipdbAction = ''


     

       
87

       
87

       
 

       
        [Definition]


     

       
88

       
88

       
 

       
        actionstart =


     

       
89

       
89

       
 

       
        actionstop =


     

       
90

       
90

       
 

       
        actioncheck =


     

       
91

       
91

       
 

       



     

       
92

       

       
-

       
        # Report IP to AbuseIPDB using the API key from the secret file


     

       
93

       

       
-

       
        actionban = /bin/sh -c 'curl -s -X POST https://api.abuseipdb.com/api/v2/report \


     

       
94

       

       
-

       
          -H "Key: $(cat <abuseipdb_apikey>)" \


     

       

       
92

       
+

       
        # Report IP to AbuseIPDB using official fail2ban pattern


     

       

       
93

       
+

       
        # The abuseipdb_apikey parameter is passed from the jail action call


     

       

       
94

       
+

       
        actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" \


     

       
95

       
95

       
 

       
          -H "Accept: application/json" \


     

       
96

       

       
-

       
          -d "ip=<ip>&category=<abuseipdb_category>&comment=<abuseipdb_comment>&timestamp=$(date +%%s)" \


     

       
97

       

       
-

       
          >> /var/log/fail2ban-abuseipdb.log 2>&1'


     

       

       
96

       
+

       
          -H "Key: <abuseipdb_apikey>" \


     

       

       
97

       
+

       
          --data-urlencode "comment=$lgm" \


     

       

       
98

       
+

       
          --data-urlencode "ip=<ip>" \


     

       

       
99

       
+

       
          --data "categories=<abuseipdb_category>"


     

       
98

       
100

       
 

       



     

       
99

       
101

       
 

       
        # No action to unban - AbuseIPDB reports are permanent


     

       
100

       
102

       
 

       
        actionunban =


     

       
101

       
103

       
 

       



     

       
102

       
104

       
 

       
        [Init]


     

       
103

       

       
-

       
        # Default path - will be overridden by jail configuration


     

       
104

       

       
-

       
        abuseipdb_apikey = /run/agenix/abuseipdb


     

       

       
105

       
+

       
        # Default category for abuse report


     

       
105

       
106

       
 

       
        abuseipdb_category = 18


     

       
106

       

       
-

       
        abuseipdb_comment = Fail2Ban Report


     

       

       
107

       
+

       
        # API key must be provided in jail action call


     

       

       
108

       
+

       
        abuseipdb_apikey =


     

       
107

       
109

       
 

       
      '';


     

       
108

       
110

       
 

       
    in


     

       
109

       
111

       
 

       
    {


     
···

       
122

       
124

       
 

       
      '';


     

       
123

       
125

       
 

       



     

       
124

       
126

       
 

       
      # AbuseIPDB action - must be copied into action.d directory


     

       
125

       

       
-

       
      "fail2ban/action.d/abuseipdb.conf".source = abuseipdbAction;


     

       

       
127

       
+

       
      "fail2ban/action.d/abuseipdb.conf".text = abuseipdbAction;


     

       
126

       
128

       
 

       
    };


     

       
127

       
129

       
 

       



     

       
128

       
130

       
 

       
  # Ensure the log directory exists