nekomimi.pet
+31
hosts/baal/default.nix
+31
hosts/baal/default.nix
···
33
33
networkmanager.enable = true;
34
34
};
35
35
36
+
services.fail2ban = {
37
+
enable = true;
38
+
# Ban IP after 5 failures
39
+
maxretry = 5;
40
+
ignoreIP = [
41
+
"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10"
42
+
];
43
+
bantime = "24h"; # Ban IPs for one day on the first ban
44
+
bantime-increment = {
45
+
enable = true; # Enable increment of bantime after each violation
46
+
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
47
+
multipliers = "1 2 4 8 16 32 64";
48
+
maxtime = "168h"; # Do not ban for more than 1 week
49
+
overalljails = true; # Calculate the bantime based on all the violations
50
+
};
51
+
jails = {
52
+
apache-nohome-iptables.settings = {
53
+
# Block an IP address if it accesses a non-existent
54
+
# home directory more than 5 times in 10 minutes,
55
+
# since that indicates that it's scanning.
56
+
filter = "apache-nohome";
57
+
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
58
+
logpath = "/var/log/httpd/error_log*";
59
+
backend = "auto";
60
+
findtime = 600;
61
+
bantime = 600;
62
+
maxretry = 5;
63
+
};
64
+
};
65
+
};
66
+
36
67
virtualisation.docker = {
37
68
enable = true;
38
69
enableOnBoot = true;
+31
hosts/buer/default.nix
+31
hosts/buer/default.nix
···
66
66
useDHCP = false;
67
67
};
68
68
69
+
services.fail2ban = {
70
+
enable = true;
71
+
# Ban IP after 5 failures
72
+
maxretry = 5;
73
+
ignoreIP = [
74
+
"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10"
75
+
];
76
+
bantime = "24h"; # Ban IPs for one day on the first ban
77
+
bantime-increment = {
78
+
enable = true; # Enable increment of bantime after each violation
79
+
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
80
+
multipliers = "1 2 4 8 16 32 64";
81
+
maxtime = "168h"; # Do not ban for more than 1 week
82
+
overalljails = true; # Calculate the bantime based on all the violations
83
+
};
84
+
jails = {
85
+
apache-nohome-iptables.settings = {
86
+
# Block an IP address if it accesses a non-existent
87
+
# home directory more than 5 times in 10 minutes,
88
+
# since that indicates that it's scanning.
89
+
filter = "apache-nohome";
90
+
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
91
+
logpath = "/var/log/httpd/error_log*";
92
+
backend = "auto";
93
+
findtime = 600;
94
+
bantime = 600;
95
+
maxretry = 5;
96
+
};
97
+
};
98
+
};
99
+
69
100
# Static IP configuration via systemd-networkd
70
101
systemd.network = {
71
102
enable = true;
+31
hosts/valefar/default.nix
+31
hosts/valefar/default.nix
···
262
262
};
263
263
};
264
264
265
+
services.fail2ban = {
266
+
enable = true;
267
+
# Ban IP after 5 failures
268
+
maxretry = 5;
269
+
ignoreIP = [
270
+
"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10"
271
+
];
272
+
bantime = "24h"; # Ban IPs for one day on the first ban
273
+
bantime-increment = {
274
+
enable = true; # Enable increment of bantime after each violation
275
+
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
276
+
multipliers = "1 2 4 8 16 32 64";
277
+
maxtime = "168h"; # Do not ban for more than 1 week
278
+
overalljails = true; # Calculate the bantime based on all the violations
279
+
};
280
+
jails = {
281
+
apache-nohome-iptables.settings = {
282
+
# Block an IP address if it accesses a non-existent
283
+
# home directory more than 5 times in 10 minutes,
284
+
# since that indicates that it's scanning.
285
+
filter = "apache-nohome";
286
+
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
287
+
logpath = "/var/log/httpd/error_log*";
288
+
backend = "auto";
289
+
findtime = 600;
290
+
bantime = 600;
291
+
maxretry = 5;
292
+
};
293
+
};
294
+
};
295
+
265
296
# =============================================================================
266
297
# PACKAGES
267
298
# =============================================================================