From feabbcb96178cad0c0037abc7a1083553f4e2f32 Mon Sep 17 00:00:00 2001
From: Alexander Szczepanski <alexander@szczepan.ski>
Date: Tue, 15 Jun 2021 15:49:43 +0200
Subject: [PATCH] added fail2ban for vps

---
 machine/vps/configuration.nix | 45 +++++++++++++++++++++++++++++++----
 1 file changed, 41 insertions(+), 4 deletions(-)

diff --git a/machine/vps/configuration.nix b/machine/vps/configuration.nix
index cdb3bf1..a98402a 100644
--- a/machine/vps/configuration.nix
+++ b/machine/vps/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 {
   imports =
@@ -118,11 +118,48 @@
     };
   };
 
+  services.fail2ban = {
+    enable = true;
+
+    jails.DEFAULT =
+    ''
+      bantime  = 7d
+    '';
+
+    jails.sshd =
+    ''
+      filter = sshd
+      maxretry = 4
+      action   = iptables[name=ssh, port=ssh, protocol=tcp]
+      enabled  = true
+    '';
+
+    jails.sshd-ddos =
+    ''
+      filter = sshd-ddos
+      maxretry = 2
+      action   = iptables[name=ssh, port=ssh, protocol=tcp]
+      enabled  = true
+    '';
+  };
+
+  environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
+    enable = true;
+    text = ''
+      [Definition]
+      failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
+      ignoreregex =
+    '';
+  };
+
+  # Limit stack size to reduce memory usage
+  systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
+
   # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 22 80 443 ];
   # Or disable the firewall altogether.
-  networking.firewall.enable = false;
+  # networking.firewall.enable = false;
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions