* Basic module for fail2ban. Not configurable yet. It currently
blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149
This commit is contained in:
Eelco Dolstra
parent
a9a507eede
commit
3ce8859551
88
modules/services/security/fail2ban.nix
Normal file
88
modules/services/security/fail2ban.nix
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
with pkgs.lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
fail2banConf = pkgs.writeText "fail2ban.conf"
|
||||||
|
''
|
||||||
|
[Definition]
|
||||||
|
loglevel = 3
|
||||||
|
logtarget = SYSLOG
|
||||||
|
socket = /var/run/fail2ban/fail2ban.sock
|
||||||
|
'';
|
||||||
|
|
||||||
|
jailConf = pkgs.writeText "jail.conf"
|
||||||
|
''
|
||||||
|
[DEFAULT]
|
||||||
|
bantime = 120
|
||||||
|
findtime = 120
|
||||||
|
maxretry = 3
|
||||||
|
backend = auto
|
||||||
|
|
||||||
|
[ssh-iptables]
|
||||||
|
enabled = true
|
||||||
|
filter = sshd
|
||||||
|
action = iptables[name=SSH, port=ssh, protocol=tcp]
|
||||||
|
logpath = /var/log/warn
|
||||||
|
maxretry = 5
|
||||||
|
'';
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
###### interface
|
||||||
|
|
||||||
|
options = {
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
###### implementation
|
||||||
|
|
||||||
|
config = {
|
||||||
|
|
||||||
|
environment.systemPackages = [ pkgs.fail2ban ];
|
||||||
|
|
||||||
|
environment.etc =
|
||||||
|
[ { source = fail2banConf;
|
||||||
|
target = "fail2ban/fail2ban.conf";
|
||||||
|
}
|
||||||
|
{ source = jailConf;
|
||||||
|
target = "fail2ban/jail.conf";
|
||||||
|
}
|
||||||
|
{ source = "${pkgs.fail2ban}/etc/fail2ban/action.d";
|
||||||
|
target = "fail2ban/action.d";
|
||||||
|
}
|
||||||
|
{ source = "${pkgs.fail2ban}/etc/fail2ban/filter.d";
|
||||||
|
target = "fail2ban/filter.d";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
jobs.fail2ban =
|
||||||
|
{ description = "Fail2ban intrusion prevention system";
|
||||||
|
|
||||||
|
startOn = "started networking";
|
||||||
|
|
||||||
|
path = [ pkgs.fail2ban pkgs.iptables ];
|
||||||
|
|
||||||
|
preStart =
|
||||||
|
''
|
||||||
|
# ${fail2banConf} ${jailConf}
|
||||||
|
mkdir -p /var/run/fail2ban -m 0755
|
||||||
|
'';
|
||||||
|
|
||||||
|
exec = "fail2ban-server -f";
|
||||||
|
|
||||||
|
postStart =
|
||||||
|
''
|
||||||
|
fail2ban-client reload
|
||||||
|
'';
|
||||||
|
|
||||||
|
respawn = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
||||||
@ -274,7 +274,7 @@ in
|
|||||||
|
|
||||||
jobs.networking = {
|
jobs.networking = {
|
||||||
name = "networking";
|
name = "networking";
|
||||||
description = "all required interfaces are up";
|
description = "All required interfaces are up";
|
||||||
startOn = "started network-interfaces";
|
startOn = "started network-interfaces";
|
||||||
stopOn = "stopping network-interfaces";
|
stopOn = "stopping network-interfaces";
|
||||||
task = true;
|
task = true;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user