From fa0a63ec13bcd87710c10a29ba3489374333c4ef Mon Sep 17 00:00:00 2001
From: Renaud <c0bw3b@users.noreply.github.com>
Date: Wed, 14 Dec 2016 14:58:02 +0100
Subject: [PATCH] fail2ban service : improve ssh jail (#21131)

Improvement to the ssh-iptables to block the port(s) actually defined
for sshd in config.services.openssh.ports
---
 nixos/modules/services/security/fail2ban.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix
index 22e3bb0066c..716ae7a2d2f 100644
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@@ -143,7 +143,7 @@ in
     services.fail2ban.jails.ssh-iptables =
       ''
         filter   = sshd
-        action   = iptables[name=SSH, port=ssh, protocol=tcp]
+        action   = iptables-multiport[name=SSH, port="${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}", protocol=tcp]
         maxretry = 5
       '';