BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added fail2ban for vps

Browse Source
This commit is contained in:
Alexander Szczepanski
2021-06-15 15:49:43 +02:00
parent 5d0706b3c8
commit feabbcb961
1 changed files with 41 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
machine/vps/configuration.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports = imports =
@ -118,11 +118,48 @@
}; };
}; };
services.fail2ban = {
enable = true;
jails.DEFAULT =
''
bantime = 7d
'';
jails.sshd =
''
filter = sshd
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
enabled = true
'';
jails.sshd-ddos =
''
filter = sshd-ddos
maxretry = 2
action = iptables[name=ssh, port=ssh, protocol=tcp]
enabled = true
'';
};
environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
enable = true;
text = ''
[Definition]
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
ignoreregex =
'';
};
# Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
# Open ports in the firewall. # Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ]; networking.firewall.allowedTCPPorts = [ 22 80 443 ];
# networking.firewall.allowedUDPPorts = [ ... ]; networking.firewall.allowedUDPPorts = [ 22 80 443 ];
# Or disable the firewall altogether. # Or disable the firewall altogether.
networking.firewall.enable = false; # networking.firewall.enable = false;
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions