security: add fail2ban

2025-09-26 20:47:19 +08:00 · 2025-09-26 20:47:19 +08:00 · 20ee47caa2
commit 20ee47caa2
parent 8de4592eb5
4 changed files with 71 additions and 1 deletions
--- a/system/dev/dn-server/default.nix
+++ b/system/dev/dn-server/default.nix
@ -18,6 +18,7 @@ in
      intel-bus-id = "PCI:0:2:0";
      nvidia-bus-id = "PCI:1:0:0";
    })
+    ./security.nix
    ./sops-conf.nix
    ./boot.nix
    ./hardware-configuration.nix
@ -58,6 +59,7 @@ in
      dataBackupPath = "/mnt/backup_dn";
      dbBackupPath = "/mnt/backup_dn";
      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
+      trusted = [ "nextcloud.daccc.info" ];
    })
    (import ../../modules/vaultwarden.nix {
      domain = "bitwarden.net.dn";
--- a/system/dev/dn-server/security.nix
+++ b/system/dev/dn-server/security.nix
@ -0,0 +1,13 @@
+{
+  ...
+}:
+{
+  imports = [
+    (import ../../modules/fail2ban.nix {
+      extraAllowList = [
+        "10.0.0.0/24"
+        "122.117.215.55"
+      ];
+    })
+  ];
+}
--- a/system/modules/fail2ban.nix
+++ b/system/modules/fail2ban.nix
@ -0,0 +1,55 @@
+{
+  extreAllowList ? [ ],
+  ...
+}:
+{
+
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      "192.168.0.0/16"
+    ]
+    ++ extreAllowList;
+    bantime = "24h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "8 64";
+      maxtime = "1y";
+      overalljails = true;
+    };
+    jails =
+      let
+        nginxLogPath = "/var/log/nginx/error.log*";
+      in
+      {
+        sshd.settings = {
+          logPath = "";
+          filter = "sshd";
+          action = ''nftables-multiport[name="sshd", port="ssh,30072"]'';
+          backend = "systemd";
+          findtime = 600;
+          bantime = 600;
+          maxretry = 5;
+        };
+        nginx-error-common.settings = {
+          logPath = nginxLogPath;
+          filter = "nginx-error-common";
+          action = ''nftables-multiport[name=HTTP, port="http,https"]'';
+          backend = "auto";
+          findtime = 600;
+          bantime = 600;
+          maxretry = 5;
+        };
+        nginx-forbidden.settings = {
+          logPath = nginxLogPath;
+          filter = "nginx-forbidden";
+          action = ''nftables-multiport[name=HTTP, port="http,https"]'';
+          backend = "auto";
+          findtime = 600;
+          bantime = 600;
+          maxretry = 5;
+        };
+      };
+  };
+}
--- a/system/modules/mail-server/server.nix
+++ b/system/modules/mail-server/server.nix
@ -292,7 +292,7 @@ in
          log_path = /dev/stderr
          log_debug = (category=auth-client) OR (event=auth_client_passdb_lookup_started)

-          auth_mechanisms = plain login oauthbearer
+          auth_mechanisms = plain login
          ssl = required

          service auth {