From 996fcae23298c73af6e4260daafd5c4a9b4fbaa7 Mon Sep 17 00:00:00 2001 From: waveringana Date: Sun, 17 Aug 2025 02:02:27 -0400 Subject: [PATCH] add fail2ban --- hosts/baal/default.nix | 31 +++++++++++++++++++++++++++++++ hosts/buer/default.nix | 31 +++++++++++++++++++++++++++++++ hosts/valefar/default.nix | 31 +++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+) diff --git a/hosts/baal/default.nix b/hosts/baal/default.nix index f4055b9..978a04e 100644 --- a/hosts/baal/default.nix +++ b/hosts/baal/default.nix @@ -33,6 +33,37 @@ networkmanager.enable = true; }; + services.fail2ban = { + enable = true; + # Ban IP after 5 failures + maxretry = 5; + ignoreIP = [ + "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" + ]; + bantime = "24h"; # Ban IPs for one day on the first ban + bantime-increment = { + enable = true; # Enable increment of bantime after each violation + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; # Do not ban for more than 1 week + overalljails = true; # Calculate the bantime based on all the violations + }; + jails = { + apache-nohome-iptables.settings = { + # Block an IP address if it accesses a non-existent + # home directory more than 5 times in 10 minutes, + # since that indicates that it's scanning. + filter = "apache-nohome"; + action = ''iptables-multiport[name=HTTP, port="http,https"]''; + logpath = "/var/log/httpd/error_log*"; + backend = "auto"; + findtime = 600; + bantime = 600; + maxretry = 5; + }; + }; + }; + virtualisation.docker = { enable = true; enableOnBoot = true; diff --git a/hosts/buer/default.nix b/hosts/buer/default.nix index a3e14f9..79f464c 100755 --- a/hosts/buer/default.nix +++ b/hosts/buer/default.nix @@ -66,6 +66,37 @@ useDHCP = false; }; + services.fail2ban = { + enable = true; + # Ban IP after 5 failures + maxretry = 5; + ignoreIP = [ + "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" + ]; + bantime = "24h"; # Ban IPs for one day on the first ban + bantime-increment = { + enable = true; # Enable increment of bantime after each violation + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; # Do not ban for more than 1 week + overalljails = true; # Calculate the bantime based on all the violations + }; + jails = { + apache-nohome-iptables.settings = { + # Block an IP address if it accesses a non-existent + # home directory more than 5 times in 10 minutes, + # since that indicates that it's scanning. + filter = "apache-nohome"; + action = ''iptables-multiport[name=HTTP, port="http,https"]''; + logpath = "/var/log/httpd/error_log*"; + backend = "auto"; + findtime = 600; + bantime = 600; + maxretry = 5; + }; + }; + }; + # Static IP configuration via systemd-networkd systemd.network = { enable = true; diff --git a/hosts/valefar/default.nix b/hosts/valefar/default.nix index 8494ac0..2fbbea2 100755 --- a/hosts/valefar/default.nix +++ b/hosts/valefar/default.nix @@ -262,6 +262,37 @@ }; }; + services.fail2ban = { + enable = true; + # Ban IP after 5 failures + maxretry = 5; + ignoreIP = [ + "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" + ]; + bantime = "24h"; # Ban IPs for one day on the first ban + bantime-increment = { + enable = true; # Enable increment of bantime after each violation + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; # Do not ban for more than 1 week + overalljails = true; # Calculate the bantime based on all the violations + }; + jails = { + apache-nohome-iptables.settings = { + # Block an IP address if it accesses a non-existent + # home directory more than 5 times in 10 minutes, + # since that indicates that it's scanning. + filter = "apache-nohome"; + action = ''iptables-multiport[name=HTTP, port="http,https"]''; + logpath = "/var/log/httpd/error_log*"; + backend = "auto"; + findtime = 600; + bantime = 600; + maxretry = 5; + }; + }; + }; + # ============================================================================= # PACKAGES # =============================================================================