nixpkgs/nixos/modules/services/security/fail2ban.nix

179 lines
5.2 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.fail2ban;
fail2banConf = pkgs.writeText "fail2ban.local" cfg.daemonConfig;
jailConf = pkgs.writeText "jail.local" ''
[INCLUDES]
before = paths-nixos.conf
${concatStringsSep "\n" (attrValues (flip mapAttrs cfg.jails (name: def:
optionalString (def != "")
''
[${name}]
${def}
'')))}
'';
pathsConf = pkgs.writeText "paths-nixos.conf" ''
# NixOS
[INCLUDES]
before = paths-common.conf
after = paths-overrides.local
[DEFAULT]
'';
in
{
###### interface
options = {
services.fail2ban = {
enable = mkOption {
default = false;
type = types.bool;
description = "Whether to enable the fail2ban service.";
};
package = mkOption {
default = pkgs.fail2ban;
type = types.package;
example = "pkgs.fail2ban_0_11";
description = "The fail2ban package to use for running the fail2ban service.";
};
packageFirewall = mkOption {
default = pkgs.iptables;
type = types.package;
example = "pkgs.nftables";
description = "The firewall package used by fail2ban service.";
};
daemonConfig = mkOption {
default = ''
[Definition]
logtarget = SYSLOG
socket = /run/fail2ban/fail2ban.sock
pidfile = /run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
'';
type = types.lines;
description = ''
The contents of Fail2ban's main configuration file. It's
generally not necessary to change it.
'';
};
jails = mkOption {
default = { };
example = literalExample ''
{ apache-nohome-iptables = '''
# Block an IP address if it accesses a non-existent
# home directory more than 5 times in 10 minutes,
# since that indicates that it's scanning.
filter = apache-nohome
action = iptables-multiport[name=HTTP, port="http,https"]
logpath = /var/log/httpd/error_log*
findtime = 600
bantime = 600
maxretry = 5
''';
}
'';
type = types.attrsOf types.lines;
description = ''
The configuration of each Fail2ban jail. A jail
consists of an action (such as blocking a port using
<command>iptables</command>) that is triggered when a
filter applied to a log file triggers more than a certain
number of times in a certain time period. Actions are
defined in <filename>/etc/fail2ban/action.d</filename>,
while filters are defined in
<filename>/etc/fail2ban/filter.d</filename>.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.etc = {
"fail2ban/fail2ban.local".source = fail2banConf;
"fail2ban/jail.local".source = jailConf;
"fail2ban/fail2ban.conf".source = "${cfg.package}/etc/fail2ban/fail2ban.conf";
"fail2ban/jail.conf".source = "${cfg.package}/etc/fail2ban/jail.conf";
"fail2ban/paths-common.conf".source = "${cfg.package}/etc/fail2ban/paths-common.conf";
"fail2ban/paths-nixos.conf".source = pathsConf;
"fail2ban/action.d".source = "${cfg.package}/etc/fail2ban/action.d/*.conf";
"fail2ban/filter.d".source = "${cfg.package}/etc/fail2ban/filter.d/*.conf";
};
systemd.services.fail2ban = {
description = "Fail2ban Intrusion Prevention System";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
partOf = optional config.networking.firewall.enable "firewall.service";
restartTriggers = [ fail2banConf jailConf pathsConf ];
reloadIfChanged = true;
path = [ cfg.package cfg.packageFirewall pkgs.iproute ];
preStart = ''
mkdir -p /var/lib/fail2ban
'';
unitConfig.Documentation = "man:fail2ban(1)";
serviceConfig = {
Type = "forking";
ExecStart = "${cfg.package}/bin/fail2ban-server -xf start";
ExecStop = "${cfg.package}/bin/fail2ban-server stop";
ExecReload = "${cfg.package}/bin/fail2ban-server reload";
PIDFile = "/run/fail2ban/fail2ban.pid";
Restart = "always";
ReadOnlyDirectories = "/";
ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib";
PrivateTmp = "true";
RuntimeDirectory = "fail2ban";
CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
};
};
# Add some reasonable default jails. The special "DEFAULT" jail
# sets default values for all other jails.
services.fail2ban.jails.DEFAULT = ''
# Miscellaneous options
ignoreip = 127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"}
maxretry = 3
backend = systemd
'';
# Block SSH if there are too many failing connection attempts.
services.fail2ban.jails.sshd = mkDefault ''
enabled = true
port = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}
'';
};
}