Improve fail2ban config
This commit is contained in:
parent
5f00029da7
commit
dea5381792
|
@ -4,25 +4,27 @@
|
||||||
maxretry = 10;
|
maxretry = 10;
|
||||||
ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "78.94.116.222" ];
|
ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "78.94.116.222" ];
|
||||||
bantime-increment.enable = true;
|
bantime-increment.enable = true;
|
||||||
|
banaction-allports = "iptables";
|
||||||
|
|
||||||
jails = {
|
jails = {
|
||||||
nginx-bad-request = ''
|
nginx-deny = ''
|
||||||
enabled = true
|
enabled = true
|
||||||
action = iptables[type=allports]
|
backend = auto
|
||||||
|
logpath = /var/log/nginx/*access.log
|
||||||
|
'';
|
||||||
|
nginx-botsearch = ''
|
||||||
|
enabled = true
|
||||||
'';
|
'';
|
||||||
grafana = ''
|
grafana = ''
|
||||||
enabled = true
|
enabled = true
|
||||||
action = iptables[type=allports]
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Workaround for nginx-bad-request not being included
|
environment.etc."fail2ban/filter.d/nginx-deny.conf".text = ''
|
||||||
environment.etc."fail2ban/filter.d/nginx-bad-request.conf".source =
|
[Definition]
|
||||||
pkgs.fetchurl {
|
failregex = ^<HOST>.*"(GET|HEAD|POST|PUT|DELETE).*" (400|401|403|405|413|429) .*$
|
||||||
url =
|
ignoreregex =
|
||||||
"https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/nginx-bad-request.conf";
|
'';
|
||||||
sha256 = "sha256-fCxNQpN+IAY+2kfeOmunmtipxTjS0gHauTBIKiCtjDY=";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -52,7 +52,7 @@
|
||||||
|
|
||||||
# Open ports in the firewall.
|
# Open ports in the firewall.
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
allowedTCPPorts = [ 20 21 22 80 443 990 6162 ];
|
allowedTCPPorts = [ 20 21 22 80 443 990 ];
|
||||||
allowedTCPPortRanges = [{
|
allowedTCPPortRanges = [{
|
||||||
from = 40000;
|
from = 40000;
|
||||||
to = 40200;
|
to = 40200;
|
||||||
|
|
Loading…
Reference in New Issue