feat: add fail2ban

2025-07-05 20:56:33 +05:30 · 2024-11-03 16:09:44 +05:30
parent 89651d1630
commit 572f3bd9ae
2 changed files with 33 additions and 0 deletions
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -16,6 +16,7 @@ in {
    inputs.impermanence.nixosModules.impermanence
    inputs.home-manager.nixosModules.home-manager

+    ../../modules/nixos/fail2ban.nix
    ../../modules/nixos/sops.nix
  ];

--- a/modules/nixos/fail2ban.nix
+++ b/modules/nixos/fail2ban.nix
@ -0,0 +1,32 @@
+{config, ...}: let
+  isFirewallEnabled = config.networking.firewall.enable;
+in {
+  services.fail2ban = {
+    enable = isFirewallEnabled;
+    maxretry = 5;
+    banaction = "iptables-multiport[blocktype=DROP]";
+    ignoreIP = [
+      "127.0.0.0/8"
+      "10.0.0.0/8"
+      "192.168.0.0/16"
+    ];
+    bantime = "24h";
+
+    bantime-increment = {
+      enable = true;
+      rndtime = "12m";
+      overalljails = true;
+      multipliers = "4 8 16 32 64 128 256 512 1024 2048";
+      maxtime = "192h";
+    };
+
+    jails = {
+      sshd.settings = {
+        enabled = true;
+        port = toString config.services.openssh.ports;
+        mode = "aggressive";
+        filter = "sshd";
+      };
+    };
+  };
+}