Fail2ban

2026-02-14 16:38:11 -07:00
parent 588e385512
commit 2b7c094627
2 changed files with 73 additions and 0 deletions
--- a/modules/fail2ban.nix
+++ b/modules/fail2ban.nix
@@ -0,0 +1,72 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      factor = "4";
+    };
+
+    maxretry = 5;
+    findtime = "10m";
+
+    ignoreIP = [
+      "127.0.0.0/8"
+      "::1"
+      "100.64.0.0/10"
+    ];
+
+    jails = {
+      sshd = {
+        settings = {
+          enabled = true;
+          port = "22";
+          filter = "sshd[mode=aggressive]";
+          maxretry = 5;
+          findtime = "10m";
+          bantime = "1h";
+        };
+      };
+
+      nginx-botsearch = {
+        settings = {
+          enabled = true;
+          port = "http,https";
+          filter = "nginx-botsearch";
+          logpath = "/var/log/nginx/access.log";
+          maxretry = 5;
+          findtime = "10m";
+          bantime = "1h";
+        };
+      };
+
+      nginx-http-auth = {
+        settings = {
+          enabled = true;
+          port = "http,https";
+          filter = "nginx-http-auth";
+          logpath = "/var/log/nginx/error.log";
+          maxretry = 5;
+          findtime = "10m";
+          bantime = "1h";
+        };
+      };
+
+      nginx-bad-request = {
+        settings = {
+          enabled = true;
+          port = "http,https";
+          filter = "nginx-bad-request";
+          logpath = "/var/log/nginx/access.log";
+          maxretry = 15;
+          findtime = "10m";
+          bantime = "30m";
+        };
+      };
+    };
+  };
+}