···
age.secrets.abuseipdb = {
file = ../../secrets/abuseipdb.age;
12
-
# Include curl and jq for making HTTP requests to AbuseIPDB
13
-
extraPackages = [ pkgs.curl pkgs.jq ];
14
+
# Include curl for making HTTP requests to AbuseIPDB
15
+
extraPackages = [ pkgs.curl ];
15
-
# Global default settings for all jails
17
+
# Globally applicable settings for all jails
20
+
# How long to keep an IP in the ban list (in seconds)
21
+
# 1 day = 86400 seconds
24
+
# How far back to look for failures (in seconds)
25
+
# 1 hour = 3600 seconds
28
+
# Number of failures before banning
31
+
# Allow fail2ban to write to syslog
32
+
logtarget = "SYSLOG";
# Ignore local networks and trusted services
···
# SSH protection - monitor failed login attempts
33
-
backend = "systemd";
50
+
logpath = "%(syslog_authpriv)s";
37
-
action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";
55
+
action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='18,22', abuseipdb_comment='Fail2Ban SSH Brute Force']";
# Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors
61
+
port = "http,https";
logpath = "/var/log/caddy/access.log";
49
-
action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";
68
+
action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Caddy Abuse']";
# Rate-based protection - ban on excessive requests
caddy-ratelimit.settings = {
74
+
port = "http,https";
filter = "caddy-ratelimit";
logpath = "/var/log/caddy/access.log";
61
-
action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";
81
+
action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Rate Limiting']";
···
82
-
# AbuseIPDB action for reporting IPs to the abuse database
83
-
"fail2ban/action.d/abuseipdb-notify.conf".text = ''
102
+
# AbuseIPDB action for reporting IPs
103
+
# The API key is passed via the abuseipdb_apikey parameter which should be
104
+
# set to the path of the decrypted secret file (e.g., /run/agenix/abuseipdb)
105
+
"fail2ban/action.d/abuseipdb.conf".text = ''
89
-
# Report IP to AbuseIPDB API
111
+
# Report IP to AbuseIPDB
112
+
# Reads the API key from the file specified in the abuseipdb_apikey parameter
actionban = /run/current-system/sw/bin/curl -s -X POST https://api.abuseipdb.com/api/v2/report \
-H "Key: $(cat <abuseipdb_apikey>)" \
-H "Accept: application/json" \
93
-
-d "ip=<ip>&category=15&comment=Fail2Ban%20-%20<name>" \
116
+
-d "ip=<ip>&category=<abuseipdb_category>&comment=<abuseipdb_comment>" \
96
-
# No actionunban - AbuseIPDB reports are permanent
119
+
# No action to unban - AbuseIPDB reports are permanent
123
+
# Default path - will be overridden by jail configuration
abuseipdb_apikey = /run/agenix/abuseipdb
125
+
abuseipdb_category = 18
126
+
abuseipdb_comment = Fail2Ban Report
sapphic.moe