Improve fail2ban config

2023-03-18 23:15:53 +01:00 · 2023-03-18 23:15:53 +01:00 · dea5381792
parent 5f00029da7
commit dea5381792
2 changed files with 13 additions and 11 deletions
--- a/common/fragments/fail2ban.nix
+++ b/common/fragments/fail2ban.nix
@ -4,25 +4,27 @@
    maxretry = 10;
    ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "78.94.116.222" ];
    bantime-increment.enable = true;
+    banaction-allports = "iptables";

    jails = {
-      nginx-bad-request = ''
+      nginx-deny = ''
        enabled  = true
-        action   = iptables[type=allports]
+        backend  = auto
+        logpath  = /var/log/nginx/*access.log
+      '';
+      nginx-botsearch = ''
+        enabled = true
      '';
      grafana = ''
        enabled  = true
-        action   = iptables[type=allports]
      '';
    };
  };

-  # Workaround for nginx-bad-request not being included
-  environment.etc."fail2ban/filter.d/nginx-bad-request.conf".source =
-    pkgs.fetchurl {
-      url =
-        "https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/nginx-bad-request.conf";
-      sha256 = "sha256-fCxNQpN+IAY+2kfeOmunmtipxTjS0gHauTBIKiCtjDY=";
-    };
+  environment.etc."fail2ban/filter.d/nginx-deny.conf".text = ''
+    [Definition]
+    failregex =  ^<HOST>.*"(GET|HEAD|POST|PUT|DELETE).*" (400|401|403|405|413|429) .*$
+    ignoreregex =
+  '';
 }

--- a/hosts/bloodletting/configuration.nix
+++ b/hosts/bloodletting/configuration.nix
@ -52,7 +52,7 @@

  # Open ports in the firewall.
  networking.firewall = {
-    allowedTCPPorts = [ 20 21 22 80 443 990 6162 ];
+    allowedTCPPorts = [ 20 21 22 80 443 990 ];
    allowedTCPPortRanges = [{
      from = 40000;
      to = 40200;