2023-02-10 17:34:46 +00:00
|
|
|
{ config, pkgs, ... }: {
|
|
|
|
services.fail2ban = {
|
|
|
|
enable = true;
|
2023-03-06 19:40:04 +00:00
|
|
|
maxretry = 10;
|
2023-02-10 17:34:46 +00:00
|
|
|
ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "78.94.116.222" ];
|
|
|
|
bantime-increment.enable = true;
|
2023-03-18 22:15:53 +00:00
|
|
|
banaction-allports = "iptables";
|
2023-03-06 19:40:04 +00:00
|
|
|
|
|
|
|
jails = {
|
2023-03-18 22:15:53 +00:00
|
|
|
nginx-deny = ''
|
2023-03-06 19:40:04 +00:00
|
|
|
enabled = true
|
2023-03-18 22:15:53 +00:00
|
|
|
backend = auto
|
|
|
|
logpath = /var/log/nginx/*access.log
|
|
|
|
'';
|
|
|
|
nginx-botsearch = ''
|
|
|
|
enabled = true
|
2023-03-06 19:40:04 +00:00
|
|
|
'';
|
|
|
|
grafana = ''
|
|
|
|
enabled = true
|
|
|
|
'';
|
|
|
|
};
|
2023-02-10 17:34:46 +00:00
|
|
|
};
|
2023-03-06 19:40:04 +00:00
|
|
|
|
2023-03-18 22:15:53 +00:00
|
|
|
environment.etc."fail2ban/filter.d/nginx-deny.conf".text = ''
|
|
|
|
[Definition]
|
|
|
|
failregex = ^<HOST>.*"(GET|HEAD|POST|PUT|DELETE).*" (400|401|403|405|413|429) .*$
|
|
|
|
ignoreregex =
|
|
|
|
'';
|
2023-02-10 17:34:46 +00:00
|
|
|
}
|
|
|
|
|