nix-infra/common/fragments/fail2ban.nix

31 lines
703 B
Nix
Raw Normal View History

{ config, pkgs, ... }: {
services.fail2ban = {
enable = true;
2023-03-06 19:40:04 +00:00
maxretry = 10;
ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "78.94.116.222" ];
bantime-increment.enable = true;
2023-03-18 22:15:53 +00:00
banaction-allports = "iptables";
2023-03-06 19:40:04 +00:00
jails = {
2023-03-18 22:15:53 +00:00
nginx-deny = ''
2023-03-06 19:40:04 +00:00
enabled = true
2023-03-18 22:15:53 +00:00
backend = auto
logpath = /var/log/nginx/*access.log
'';
nginx-botsearch = ''
enabled = true
2023-03-06 19:40:04 +00:00
'';
grafana = ''
enabled = true
'';
};
};
2023-03-06 19:40:04 +00:00
2023-03-18 22:15:53 +00:00
environment.etc."fail2ban/filter.d/nginx-deny.conf".text = ''
[Definition]
failregex = ^<HOST>.*"(GET|HEAD|POST|PUT|DELETE).*" (400|401|403|405|413|429) .*$
ignoreregex =
'';
}