···
age.secrets.abuseipdb = {
file = ../../secrets/abuseipdb.age;
14
-
# Include curl for making HTTP requests to AbuseIPDB
15
-
extraPackages = [ pkgs.curl ];
17
-
# Globally applicable settings for all jails
20
-
# How long to keep an IP in the ban list (in seconds)
21
-
# 1 day = 86400 seconds
12
+
# Include curl and jq for making HTTP requests to AbuseIPDB
13
+
extraPackages = [ pkgs.curl pkgs.jq ];
24
-
# How far back to look for failures (in seconds)
25
-
# 1 hour = 3600 seconds
28
-
# Number of failures before banning
31
-
# Allow fail2ban to write to syslog
32
-
logtarget = "SYSLOG";
15
+
# Global default settings for all jails
# Ignore local networks and trusted services
···
# SSH protection - monitor failed login attempts
50
-
logpath = "%(syslog_authpriv)s";
33
+
backend = "systemd";
56
-
"iptables-multiport[name=SSH, port='ssh']"
57
-
"abuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='18,22', abuseipdb_comment='Fail2Ban SSH Brute Force']"
37
+
action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";
# Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors
64
-
port = "http,https";
logpath = "/var/log/caddy/access.log";
72
-
"iptables-multiport[name=Caddy, port='http,https']"
73
-
"abuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Caddy Abuse']"
49
+
action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";
# Rate-based protection - ban on excessive requests
caddy-ratelimit.settings = {
80
-
port = "http,https";
filter = "caddy-ratelimit";
logpath = "/var/log/caddy/access.log";
88
-
"iptables-multiport[name=Caddy-RateLimit, port='http,https']"
89
-
"abuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Rate Limiting']"
61
+
action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";
···
111
-
# AbuseIPDB action for reporting IPs
112
-
# The API key is passed via the abuseipdb_apikey parameter which should be
113
-
# set to the path of the decrypted secret file (e.g., /run/agenix/abuseipdb)
114
-
"fail2ban/action.d/abuseipdb.conf".text = ''
82
+
# AbuseIPDB action for reporting IPs to the abuse database
83
+
"fail2ban/action.d/abuseipdb-notify.conf".text = ''
120
-
# Report IP to AbuseIPDB
121
-
# Reads the API key from the file specified in the abuseipdb_apikey parameter
89
+
# Report IP to AbuseIPDB API
actionban = /run/current-system/sw/bin/curl -s -X POST https://api.abuseipdb.com/api/v2/report \
-H "Key: $(cat <abuseipdb_apikey>)" \
-H "Accept: application/json" \
125
-
-d "ip=<ip>&category=<abuseipdb_category>&comment=<abuseipdb_comment>" \
93
+
-d "ip=<ip>&category=15&comment=Fail2Ban%20-%20<name>" \
128
-
# No action to unban - AbuseIPDB reports are permanent
96
+
# No actionunban - AbuseIPDB reports are permanent
132
-
# Default path - will be overridden by jail configuration
abuseipdb_apikey = /run/agenix/abuseipdb
134
-
abuseipdb_category = 18
135
-
abuseipdb_comment = Fail2Ban Report
sapphic.moe