commit 7f279d8ef2c04389d63f9f24f42274ab8334fd55 · sapphic.moe/flake

+21 -56

services/fail2ban/default.nix

···

       4
        
         age.secrets.abuseipdb = {

     

       5
        
           file = ../../secrets/abuseipdb.age;

     

       6
        
           mode = "600";

     

       7
       -
           owner = "abuseipdb";

     

       8
       -
           group = "abuseipdb";

     

       9
        
         };

     

       10
        
       

     

       11
        
         services.fail2ban = {

     

       12
        
           enable = true;

     

       13
        
       

     

       14
       -
           # Include curl for making HTTP requests to AbuseIPDB

     

       15
       -
           extraPackages = [ pkgs.curl ];

     

       16
       -
       

     

       17
       -
           # Globally applicable settings for all jails

     

       18
       -
           daemonSettings = {

     

       19
       -
             Definition = {

     

       20
       -
               # How long to keep an IP in the ban list (in seconds)

     

       21
       -
               # 1 day = 86400 seconds

     

       22
       -
               bantime = "86400";

     

       23
        
       

     

       24
       -
               # How far back to look for failures (in seconds)

     

       25
       -
               # 1 hour = 3600 seconds

     

       26
       -
               findtime = "3600";

     

       27
       -
       

     

       28
       -
               # Number of failures before banning

     

       29
       -
               maxretry = 3;

     

       30
       -
       

     

       31
       -
               # Allow fail2ban to write to syslog

     

       32
       -
               logtarget = "SYSLOG";

     

       33
       -
             };

     

       34
       -
           };

     

       35
        
       

     

       36
        
           # Ignore local networks and trusted services

     

       37
        
           ignoreIP = [

     
···

       45
        
             # SSH protection - monitor failed login attempts

     

       46
        
             sshd.settings = {

     

       47
        
               enabled = true;

     

       48
       -
               port = "ssh";

     

       49
        
               filter = "sshd";

     

       50
       -
               logpath = "%(syslog_authpriv)s";

     

       51
       -
               backend = "auto";

     

       52
        
               maxretry = 5;

     

       53
       -
               findtime = "3600";

     

       54
       -
               bantime = "86400";

     

       55
       -
               action = [

     

       56
       -
                 "iptables-multiport[name=SSH, port='ssh']"

     

       57
       -
                 "abuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='18,22', abuseipdb_comment='Fail2Ban SSH Brute Force']"

     

       58
       -
               ];

     

       59
        
             };

     

       60
        
       

     

       61
        
             # Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors

     

       62
        
             caddy-http.settings = {

     

       63
        
               enabled = true;

     

       64
       -
               port = "http,https";

     

       65
        
               filter = "caddy-http";

     

       66
        
               logpath = "/var/log/caddy/access.log";

     

       67
        
               backend = "auto";

     

       68
        
               maxretry = 10;

     

       69
       -
               findtime = "600";

     

       70
       -
               bantime = "3600";

     

       71
       -
               action = [

     

       72
       -
                 "iptables-multiport[name=Caddy, port='http,https']"

     

       73
       -
                 "abuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Caddy Abuse']"

     

       74
       -
               ];

     

       75
        
             };

     

       76
        
       

     

       77
        
             # Rate-based protection - ban on excessive requests

     

       78
        
             caddy-ratelimit.settings = {

     

       79
        
               enabled = true;

     

       80
       -
               port = "http,https";

     

       81
        
               filter = "caddy-ratelimit";

     

       82
        
               logpath = "/var/log/caddy/access.log";

     

       83
        
               backend = "auto";

     

       84
        
               maxretry = 50;

     

       85
       -
               findtime = "60";

     

       86
       -
               bantime = "1800";

     

       87
       -
               action = [

     

       88
       -
                 "iptables-multiport[name=Caddy-RateLimit, port='http,https']"

     

       89
       -
                 "abuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Rate Limiting']"

     

       90
       -
               ];

     

       91
        
             };

     

       92
        
           };

     

       93
        
         };

     
···

       108
        
             ignoreregex =

     

       109
        
           '';

     

       110
        
       

     

       111
       -
           # AbuseIPDB action for reporting IPs

     

       112
       -
           # The API key is passed via the abuseipdb_apikey parameter which should be

     

       113
       -
           # set to the path of the decrypted secret file (e.g., /run/agenix/abuseipdb)

     

       114
       -
           "fail2ban/action.d/abuseipdb.conf".text = ''

     

       115
        
             [Definition]

     

       116
        
             actionstart =

     

       117
        
             actionstop =

     

       118
        
             actioncheck =

     

       119
        
       

     

       120
       -
             # Report IP to AbuseIPDB

     

       121
       -
             # Reads the API key from the file specified in the abuseipdb_apikey parameter

     

       122
        
             actionban = /run/current-system/sw/bin/curl -s -X POST https://api.abuseipdb.com/api/v2/report \

     

       123
        
               -H "Key: $(cat <abuseipdb_apikey>)" \

     

       124
        
               -H "Accept: application/json" \

     

       125
       -
               -d "ip=<ip>&category=<abuseipdb_category>&comment=<abuseipdb_comment>" \

     

       126
        
               -o /dev/null

     

       127
        
       

     

       128
       -
             # No action to unban - AbuseIPDB reports are permanent

     

       129
        
             actionunban =

     

       130
        
       

     

       131
        
             [Init]

     

       132
       -
             # Default path - will be overridden by jail configuration

     

       133
        
             abuseipdb_apikey = /run/agenix/abuseipdb

     

       134
       -
             abuseipdb_category = 18

     

       135
       -
             abuseipdb_comment = Fail2Ban Report

     

       136
        
           '';

     

       137
        
         };

     

       138
        
       }

···

       4
        
         age.secrets.abuseipdb = {

     

       5
        
           file = ../../secrets/abuseipdb.age;

     

       6
        
           mode = "600";

     

       0
        
       
     

       0
        
       
     

       7
        
         };

     

       8
        
       

     

       9
        
         services.fail2ban = {

     

       10
        
           enable = true;

     

       11
        
       

     

       12
       +
           # Include curl and jq for making HTTP requests to AbuseIPDB

     

       13
       +
           extraPackages = [ pkgs.curl pkgs.jq ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
       

     

       15
       +
           # Global default settings for all jails

     

       16
       +
           bantime = "1d";

     

       17
       +
           findtime = "1h";

     

       18
       +
           maxretry = 3;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       19
        
       

     

       20
        
           # Ignore local networks and trusted services

     

       21
        
           ignoreIP = [

     
···

       29
        
             # SSH protection - monitor failed login attempts

     

       30
        
             sshd.settings = {

     

       31
        
               enabled = true;

     

       0
        
       
     

       32
        
               filter = "sshd";

     

       33
       +
               backend = "systemd";

     

       0
        
       
     

       34
        
               maxretry = 5;

     

       35
       +
               findtime = "1h";

     

       36
       +
               bantime = "1d";

     

       37
       +
               action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       38
        
             };

     

       39
        
       

     

       40
        
             # Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors

     

       41
        
             caddy-http.settings = {

     

       42
        
               enabled = true;

     

       0
        
       
     

       43
        
               filter = "caddy-http";

     

       44
        
               logpath = "/var/log/caddy/access.log";

     

       45
        
               backend = "auto";

     

       46
        
               maxretry = 10;

     

       47
       +
               findtime = "10m";

     

       48
       +
               bantime = "1h";

     

       49
       +
               action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       50
        
             };

     

       51
        
       

     

       52
        
             # Rate-based protection - ban on excessive requests

     

       53
        
             caddy-ratelimit.settings = {

     

       54
        
               enabled = true;

     

       0
        
       
     

       55
        
               filter = "caddy-ratelimit";

     

       56
        
               logpath = "/var/log/caddy/access.log";

     

       57
        
               backend = "auto";

     

       58
        
               maxretry = 50;

     

       59
       +
               findtime = "1m";

     

       60
       +
               bantime = "30m";

     

       61
       +
               action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       62
        
             };

     

       63
        
           };

     

       64
        
         };

     
···

       79
        
             ignoreregex =

     

       80
        
           '';

     

       81
        
       

     

       82
       +
           # AbuseIPDB action for reporting IPs to the abuse database

     

       83
       +
           "fail2ban/action.d/abuseipdb-notify.conf".text = ''

     

       0
        
       
     

       0
        
       
     

       84
        
             [Definition]

     

       85
        
             actionstart =

     

       86
        
             actionstop =

     

       87
        
             actioncheck =

     

       88
        
       

     

       89
       +
             # Report IP to AbuseIPDB API

     

       0
        
       
     

       90
        
             actionban = /run/current-system/sw/bin/curl -s -X POST https://api.abuseipdb.com/api/v2/report \

     

       91
        
               -H "Key: $(cat <abuseipdb_apikey>)" \

     

       92
        
               -H "Accept: application/json" \

     

       93
       +
               -d "ip=<ip>&category=15&comment=Fail2Ban%20-%20<name>" \

     

       94
        
               -o /dev/null

     

       95
        
       

     

       96
       +
             # No actionunban - AbuseIPDB reports are permanent

     

       97
        
             actionunban =

     

       98
        
       

     

       99
        
             [Init]

     

       0
        
       
     

       100
        
             abuseipdb_apikey = /run/agenix/abuseipdb

     

       0
        
       
     

       0
        
       
     

       101
        
           '';

     

       102
        
         };

     

       103
        
       }