commit e0f87f2f79f3e469127200bd5b196a4db2a10870 · sapphic.moe/flake

+47 -21

services/fail2ban/default.nix

···

       4
        
         age.secrets.abuseipdb = {

     

       5
        
           file = ../../secrets/abuseipdb.age;

     

       6
        
           mode = "600";

     

       0
        
       
     

       0
        
       
     

       7
        
         };

     

       8
        
       

     

       9
        
         services.fail2ban = {

     

       10
        
           enable = true;

     

       11
        
       

     

       12
       -
           # Include curl and jq for making HTTP requests to AbuseIPDB

     

       13
       -
           extraPackages = [ pkgs.curl pkgs.jq ];

     

       14
        
       

     

       15
       -
           # Global default settings for all jails

     

       16
       -
           bantime = "1d";

     

       17
       -
           findtime = "1h";

     

       18
       -
           maxretry = 3;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       19
        
       

     

       20
        
           # Ignore local networks and trusted services

     

       21
        
           ignoreIP = [

     
···

       29
        
             # SSH protection - monitor failed login attempts

     

       30
        
             sshd.settings = {

     

       31
        
               enabled = true;

     

       0
        
       
     

       32
        
               filter = "sshd";

     

       33
       -
               backend = "systemd";

     

       0
        
       
     

       34
        
               maxretry = 5;

     

       35
       -
               findtime = "1h";

     

       36
       -
               bantime = "1d";

     

       37
       -
               action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";

     

       38
        
             };

     

       39
        
       

     

       40
        
             # Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors

     

       41
        
             caddy-http.settings = {

     

       42
        
               enabled = true;

     

       0
        
       
     

       43
        
               filter = "caddy-http";

     

       44
        
               logpath = "/var/log/caddy/access.log";

     

       45
        
               backend = "auto";

     

       46
        
               maxretry = 10;

     

       47
       -
               findtime = "10m";

     

       48
       -
               bantime = "1h";

     

       49
       -
               action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";

     

       50
        
             };

     

       51
        
       

     

       52
        
             # Rate-based protection - ban on excessive requests

     

       53
        
             caddy-ratelimit.settings = {

     

       54
        
               enabled = true;

     

       0
        
       
     

       55
        
               filter = "caddy-ratelimit";

     

       56
        
               logpath = "/var/log/caddy/access.log";

     

       57
        
               backend = "auto";

     

       58
        
               maxretry = 50;

     

       59
       -
               findtime = "1m";

     

       60
       -
               bantime = "30m";

     

       61
       -
               action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb-notify[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}]";

     

       62
        
             };

     

       63
        
           };

     

       64
        
         };

     
···

       79
        
             ignoreregex =

     

       80
        
           '';

     

       81
        
       

     

       82
       -
           # AbuseIPDB action for reporting IPs to the abuse database

     

       83
       -
           "fail2ban/action.d/abuseipdb-notify.conf".text = ''

     

       0
        
       
     

       0
        
       
     

       84
        
             [Definition]

     

       85
        
             actionstart =

     

       86
        
             actionstop =

     

       87
        
             actioncheck =

     

       88
        
       

     

       89
       -
             # Report IP to AbuseIPDB API

     

       0
        
       
     

       90
        
             actionban = /run/current-system/sw/bin/curl -s -X POST https://api.abuseipdb.com/api/v2/report \

     

       91
        
               -H "Key: $(cat <abuseipdb_apikey>)" \

     

       92
        
               -H "Accept: application/json" \

     

       93
       -
               -d "ip=<ip>&category=15&comment=Fail2Ban%20-%20<name>" \

     

       94
        
               -o /dev/null

     

       95
        
       

     

       96
       -
             # No actionunban - AbuseIPDB reports are permanent

     

       97
        
             actionunban =

     

       98
        
       

     

       99
        
             [Init]

     

       0
        
       
     

       100
        
             abuseipdb_apikey = /run/agenix/abuseipdb

     

       0
        
       
     

       0
        
       
     

       101
        
           '';

     

       102
        
         };

     

       103
        
       }

···

       4
        
         age.secrets.abuseipdb = {

     

       5
        
           file = ../../secrets/abuseipdb.age;

     

       6
        
           mode = "600";

     

       7
       +
           owner = "abuseipdb";

     

       8
       +
           group = "abuseipdb";

     

       9
        
         };

     

       10
        
       

     

       11
        
         services.fail2ban = {

     

       12
        
           enable = true;

     

       13
        
       

     

       14
       +
           # Include curl for making HTTP requests to AbuseIPDB

     

       15
       +
           extraPackages = [ pkgs.curl ];

     

       16
        
       

     

       17
       +
           # Globally applicable settings for all jails

     

       18
       +
           daemonSettings = {

     

       19
       +
             Definition = {

     

       20
       +
               # How long to keep an IP in the ban list (in seconds)

     

       21
       +
               # 1 day = 86400 seconds

     

       22
       +
               bantime = "86400";

     

       23
       +
       

     

       24
       +
               # How far back to look for failures (in seconds)

     

       25
       +
               # 1 hour = 3600 seconds

     

       26
       +
               findtime = "3600";

     

       27
       +
       

     

       28
       +
               # Number of failures before banning

     

       29
       +
               maxretry = 3;

     

       30
       +
       

     

       31
       +
               # Allow fail2ban to write to syslog

     

       32
       +
               logtarget = "SYSLOG";

     

       33
       +
             };

     

       34
       +
           };

     

       35
        
       

     

       36
        
           # Ignore local networks and trusted services

     

       37
        
           ignoreIP = [

     
···

       45
        
             # SSH protection - monitor failed login attempts

     

       46
        
             sshd.settings = {

     

       47
        
               enabled = true;

     

       48
       +
               port = "ssh";

     

       49
        
               filter = "sshd";

     

       50
       +
               logpath = "%(syslog_authpriv)s";

     

       51
       +
               backend = "auto";

     

       52
        
               maxretry = 5;

     

       53
       +
               findtime = "3600";

     

       54
       +
               bantime = "86400";

     

       55
       +
               action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='18,22', abuseipdb_comment='Fail2Ban SSH Brute Force']";

     

       56
        
             };

     

       57
        
       

     

       58
        
             # Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors

     

       59
        
             caddy-http.settings = {

     

       60
        
               enabled = true;

     

       61
       +
               port = "http,https";

     

       62
        
               filter = "caddy-http";

     

       63
        
               logpath = "/var/log/caddy/access.log";

     

       64
        
               backend = "auto";

     

       65
        
               maxretry = 10;

     

       66
       +
               findtime = "600";

     

       67
       +
               bantime = "3600";

     

       68
       +
               action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Caddy Abuse']";

     

       69
        
             };

     

       70
        
       

     

       71
        
             # Rate-based protection - ban on excessive requests

     

       72
        
             caddy-ratelimit.settings = {

     

       73
        
               enabled = true;

     

       74
       +
               port = "http,https";

     

       75
        
               filter = "caddy-ratelimit";

     

       76
        
               logpath = "/var/log/caddy/access.log";

     

       77
        
               backend = "auto";

     

       78
        
               maxretry = 50;

     

       79
       +
               findtime = "60";

     

       80
       +
               bantime = "1800";

     

       81
       +
               action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Rate Limiting']";

     

       82
        
             };

     

       83
        
           };

     

       84
        
         };

     
···

       99
        
             ignoreregex =

     

       100
        
           '';

     

       101
        
       

     

       102
       +
           # AbuseIPDB action for reporting IPs

     

       103
       +
           # The API key is passed via the abuseipdb_apikey parameter which should be

     

       104
       +
           # set to the path of the decrypted secret file (e.g., /run/agenix/abuseipdb)

     

       105
       +
           "fail2ban/action.d/abuseipdb.conf".text = ''

     

       106
        
             [Definition]

     

       107
        
             actionstart =

     

       108
        
             actionstop =

     

       109
        
             actioncheck =

     

       110
        
       

     

       111
       +
             # Report IP to AbuseIPDB

     

       112
       +
             # Reads the API key from the file specified in the abuseipdb_apikey parameter

     

       113
        
             actionban = /run/current-system/sw/bin/curl -s -X POST https://api.abuseipdb.com/api/v2/report \

     

       114
        
               -H "Key: $(cat <abuseipdb_apikey>)" \

     

       115
        
               -H "Accept: application/json" \

     

       116
       +
               -d "ip=<ip>&category=<abuseipdb_category>&comment=<abuseipdb_comment>" \

     

       117
        
               -o /dev/null

     

       118
        
       

     

       119
       +
             # No action to unban - AbuseIPDB reports are permanent

     

       120
        
             actionunban =

     

       121
        
       

     

       122
        
             [Init]

     

       123
       +
             # Default path - will be overridden by jail configuration

     

       124
        
             abuseipdb_apikey = /run/agenix/abuseipdb

     

       125
       +
             abuseipdb_category = 18

     

       126
       +
             abuseipdb_comment = Fail2Ban Report

     

       127
        
           '';

     

       128
        
         };

     

       129
        
       }