nixpkgs/nixos/modules/services/security/fail2ban.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.fail2ban;

  fail2banConf = pkgs.writeText "fail2ban.conf" cfg.daemonConfig;

  jailConf = pkgs.writeText "jail.conf"
    (concatStringsSep "\n" (attrValues (flip mapAttrs cfg.jails (name: def:
      optionalString (def != "")
        ''
          [${name}]
          ${def}
        ''))));

in

{

  ###### interface

  options = {

    services.fail2ban = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = "Whether to enable the fail2ban service.";
      };

      daemonConfig = mkOption {
        default =
          ''
            [Definition]
            loglevel  = INFO
            logtarget = SYSLOG
            socket    = /run/fail2ban/fail2ban.sock
            pidfile   = /run/fail2ban/fail2ban.pid
          '';
        type = types.lines;
        description =
          ''
            The contents of Fail2ban's main configuration file.  It's
            generally not necessary to change it.
          '';
      };

      jails = mkOption {
        default = { };
        example = literalExample ''
          { apache-nohome-iptables = '''
              # Block an IP address if it accesses a non-existent
              # home directory more than 5 times in 10 minutes,
              # since that indicates that it's scanning.
              filter   = apache-nohome
              action   = iptables-multiport[name=HTTP, port="http,https"]
              logpath  = /var/log/httpd/error_log*
              findtime = 600
              bantime  = 600
              maxretry = 5
            ''';
          }
        '';
        type = types.attrsOf types.lines;
        description =
          ''
            The configuration of each Fail2ban “jail”.  A jail
            consists of an action (such as blocking a port using
            <command>iptables</command>) that is triggered when a
            filter applied to a log file triggers more than a certain
            number of times in a certain time period.  Actions are
            defined in <filename>/etc/fail2ban/action.d</filename>,
            while filters are defined in
            <filename>/etc/fail2ban/filter.d</filename>.
          '';
      };

    };

  };


  ###### implementation

  config = mkIf cfg.enable {

    environment.systemPackages = [ pkgs.fail2ban ];

    environment.etc."fail2ban/fail2ban.conf".source = fail2banConf;
    environment.etc."fail2ban/jail.conf".source = jailConf;
    environment.etc."fail2ban/action.d".source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf";
    environment.etc."fail2ban/filter.d".source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf";

    systemd.services.fail2ban =
      { description = "Fail2ban Intrusion Prevention System";

        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        partOf = optional config.networking.firewall.enable "firewall.service";

        restartTriggers = [ fail2banConf jailConf ];
        path = [ pkgs.fail2ban pkgs.iptables pkgs.iproute ];

        preStart =
          ''
            mkdir -p /var/lib/fail2ban
          '';

        unitConfig.Documentation = "man:fail2ban(1)";

        serviceConfig =
          { Type = "forking";
            ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start";
            ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop";
            ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload";
            PIDFile = "/run/fail2ban/fail2ban.pid";
            Restart = "always";

            ReadOnlyDirectories = "/";
            ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib";
            PrivateTmp = "true";
            RuntimeDirectory = "fail2ban";
            CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
          };
      };

    # Add some reasonable default jails.  The special "DEFAULT" jail
    # sets default values for all other jails.
    services.fail2ban.jails.DEFAULT =
      ''
        ignoreip = 127.0.0.1/8
        bantime  = 600
        findtime = 600
        maxretry = 3
        backend  = systemd
        enabled  = true
       '';

    # Block SSH if there are too many failing connection attempts.
    services.fail2ban.jails.ssh-iptables =
      ''
        filter   = sshd
        action   = iptables-multiport[name=SSH, port="${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}", protocol=tcp]
        maxretry = 5
      '';

  };

}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00
			`let`

* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`cfg = config.services.fail2ban;`

			`fail2banConf = pkgs.writeText "fail2ban.conf" cfg.daemonConfig;`
* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00
			`jailConf = pkgs.writeText "jail.conf"`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`(concatStringsSep "\n" (attrValues (flip mapAttrs cfg.jails (name: def:`
fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00			`optionalString (def != "")`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`''`
			`[${name}]`
			`${def}`
			`''))));`
* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00
			`in`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00
* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00			`{`

			`###### interface`

			`options = {`

* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`services.fail2ban = {`
fail2ban: systemd support - upgrade fail2ban to 0.9 - override systemd to enable python support and include sqlite3 module - make fail2ban enablable 2014-08-01 18:11:09 -07:00			`enable = mkOption {`
			`default = false;`
			`type = types.bool;`
			`description = "Whether to enable the fail2ban service.";`
			`};`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00
			`daemonConfig = mkOption {`
			`default =`
			`''`
			`[Definition]`
fail2ban: systemd support - upgrade fail2ban to 0.9 - override systemd to enable python support and include sqlite3 module - make fail2ban enablable 2014-08-01 18:11:09 -07:00			`loglevel = INFO`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`logtarget = SYSLOG`
fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00			`socket = /run/fail2ban/fail2ban.sock`
			`pidfile = /run/fail2ban/fail2ban.pid`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`'';`
nixos/fail2ban: don't use types.string (it's deprecated) I'm not really sure which one of types.lines or types.str that fit better, but I'm going for types.lines because it behaves more like the current type (i.e. have the ability to merge). 2014-08-24 13:54:16 +02:00			`type = types.lines;`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`description =`
			`''`
			`The contents of Fail2ban's main configuration file. It's`
			`generally not necessary to change it.`
			`'';`
			`};`

			`jails = mkOption {`
			`default = { };`
fail2ban service: fix formatting of example 2015-07-04 18:51:04 +12:00			`example = literalExample ''`
			`{ apache-nohome-iptables = '''`
			`# Block an IP address if it accesses a non-existent`
			`# home directory more than 5 times in 10 minutes,`
			`# since that indicates that it's scanning.`
			`filter = apache-nohome`
			`action = iptables-multiport[name=HTTP, port="http,https"]`
			`logpath = /var/log/httpd/error_log*`
			`findtime = 600`
			`bantime = 600`
			`maxretry = 5`
			`''';`
			`}`
			`'';`
nixos/fail2ban: don't use types.string (it's deprecated) I'm not really sure which one of types.lines or types.str that fit better, but I'm going for types.lines because it behaves more like the current type (i.e. have the ability to merge). 2014-08-24 13:54:16 +02:00			`type = types.attrsOf types.lines;`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`description =`
			`''`
			`The configuration of each Fail2ban “jail”. A jail`
			`consists of an action (such as blocking a port using`
			`<command>iptables</command>) that is triggered when a`
			`filter applied to a log file triggers more than a certain`
			`number of times in a certain time period. Actions are`
			`defined in <filename>/etc/fail2ban/action.d</filename>,`
			`while filters are defined in`
			`<filename>/etc/fail2ban/filter.d</filename>.`
			`'';`
			`};`
fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`};`

* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00			`};`

fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00
* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00			`###### implementation`

fail2ban: systemd support - upgrade fail2ban to 0.9 - override systemd to enable python support and include sqlite3 module - make fail2ban enablable 2014-08-01 18:11:09 -07:00			`config = mkIf cfg.enable {`
* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00
			`environment.systemPackages = [ pkgs.fail2ban ];`

fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00			`environment.etc."fail2ban/fail2ban.conf".source = fail2banConf;`
			`environment.etc."fail2ban/jail.conf".source = jailConf;`
			`environment.etc."fail2ban/action.d".source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf";`
			`environment.etc."fail2ban/filter.d".source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf";`
fail2ban: move /var/run/fail2ban creation to activation script to be able to restrict the write locations for the service properly, add configuration files to the restartTriggers. 2013-07-31 11:22:32 +02:00
Make fail2ban a normal systemd service in nixos module. 2013-07-25 15:40:20 +02:00			`systemd.services.fail2ban =`
nixos/fail2ban: capitalize service description 2015-02-22 16:42:14 +01:00			`{ description = "Fail2ban Intrusion Prevention System";`
Make fail2ban a normal systemd service in nixos module. 2013-07-25 15:40:20 +02:00
			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network.target" ];`
fail2ban: rework service 2016-04-25 23:13:03 +02:00			`partOf = optional config.networking.firewall.enable "firewall.service";`
fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00
fail2ban: move /var/run/fail2ban creation to activation script to be able to restrict the write locations for the service properly, add configuration files to the restartTriggers. 2013-07-31 11:22:32 +02:00			`restartTriggers = [ fail2banConf jailConf ];`
fail2ban service: add iproute to PATH iproute is required for blocking via null routes; without it, rules based on routes.conf will fail. Closes #15638 2016-05-23 12:44:35 +02:00			`path = [ pkgs.fail2ban pkgs.iptables pkgs.iproute ];`
fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00
			`preStart =`
			`''`
fail2ban: systemd support - upgrade fail2ban to 0.9 - override systemd to enable python support and include sqlite3 module - make fail2ban enablable 2014-08-01 18:11:09 -07:00			`mkdir -p /var/lib/fail2ban`
fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00			`'';`

fail2ban: rework service 2016-04-25 23:13:03 +02:00			`unitConfig.Documentation = "man:fail2ban(1)";`

Limit the location where fail2ban service can write to (only /var/run/fail2ban). 2013-07-25 15:48:00 +02:00			`serviceConfig =`
fail2ban: rework service 2016-04-25 23:13:03 +02:00			`{ Type = "forking";`
			`ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start";`
			`ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop";`
			`ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload";`
			`PIDFile = "/run/fail2ban/fail2ban.pid";`
			`Restart = "always";`

Limit the location where fail2ban service can write to (only /var/run/fail2ban). 2013-07-25 15:48:00 +02:00			`ReadOnlyDirectories = "/";`
fail2ban: rework service 2016-04-25 23:13:03 +02:00			`ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib";`
			`PrivateTmp = "true";`
			`RuntimeDirectory = "fail2ban";`
fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00			`CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";`
Limit the location where fail2ban service can write to (only /var/run/fail2ban). 2013-07-25 15:48:00 +02:00			`};`
* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00			`};`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00
			`# Add some reasonable default jails. The special "DEFAULT" jail`
			`# sets default values for all other jails.`
			`services.fail2ban.jails.DEFAULT =`
			`''`
			`ignoreip = 127.0.0.1/8`
			`bantime = 600`
			`findtime = 600`
			`maxretry = 3`
fail2ban: systemd support - upgrade fail2ban to 0.9 - override systemd to enable python support and include sqlite3 module - make fail2ban enablable 2014-08-01 18:11:09 -07:00			`backend = systemd`
nixos/fail2ban: Enable jails by default With jails defaulting to 'enabled = true', the sshd jail that NixOS defines will now be enabled. [Bjørn: tweak commit message] 2015-12-26 16:50:37 +01:00			`enabled = true`
fail2ban: systemd support - upgrade fail2ban to 0.9 - override systemd to enable python support and include sqlite3 module - make fail2ban enablable 2014-08-01 18:11:09 -07:00			`'';`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00
			`# Block SSH if there are too many failing connection attempts.`
fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00			`services.fail2ban.jails.ssh-iptables =`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`''`
			`filter = sshd`
fail2ban service : improve ssh jail (#21131) Improvement to the ssh-iptables to block the port(s) actually defined for sshd in config.services.openssh.ports 2016-12-14 14:58:02 +01:00			`action = iptables-multiport[name=SSH, port="${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}", protocol=tcp]`
* Make the fail2ban module configurable. svn path=/nixos/trunk/; revision=34157 2012-05-17 18:19:48 +00:00			`maxretry = 5`
			`'';`
fail2ban: Update to 0.8.10 Also fix random start failures due to a race between the fail2ban server and the postStart script. 2013-10-15 18:36:45 +02:00
* Basic module for fail2ban. Not configurable yet. It currently blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149 2012-05-17 02:51:24 +00:00			`};`

			`}`