Fail2ban: Difference between revisions
→Extending Fail2ban: Fix typo |
Use inclusive language |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 4: | Line 4: | ||
== Basic Usage == | == Basic Usage == | ||
Enable Fail2ban [[NixOS modules|NixOS module]] with the expression: | Enable Fail2ban [[NixOS modules|NixOS module]] with the expression: | ||
< | |||
{{file|/etc/nixos/configuration.nix|nix| | |||
<nowiki> | |||
services.fail2ban.enable = true; | services.fail2ban.enable = true; | ||
</ | </nowiki> | ||
NixOS comes with a pre-configured SSH jail which will observe errors in the SSH daemon and ban offending IPs. If all you need is basic rate-limiting and only have the SSH port exposed, you don't have to setup anything else. | }} | ||
NixOS comes with a pre-configured SSH jail which will observe errors in the [[SSH#OpenSSH Server|SSH daemon]] and ban offending IPs. If all you need is basic rate-limiting and only have the SSH port exposed, you don't have to setup anything else. | |||
For additional configuration options, see the{{nixos:option|services.fail2ban}} module documentation. | |||
== Advanced Usage == | == Advanced Usage == | ||
| Line 15: | Line 22: | ||
* The <syntaxhighlight lang="nix" inline>maxretry</syntaxhighlight> option allows you to specify how many failures are required for an IP address to be blocked. | * The <syntaxhighlight lang="nix" inline>maxretry</syntaxhighlight> option allows you to specify how many failures are required for an IP address to be blocked. | ||
* To prevent being locked out accidentally, use <syntaxhighlight lang="nix" inline>ignoreIP</syntaxhighlight> to | * To prevent being locked out accidentally, use <syntaxhighlight lang="nix" inline>ignoreIP</syntaxhighlight> to define IP allow lists or IP ranges to be never checked. In the example below, common LAN IP address ranges as well as the specific IP '8.8.8.8' and the address associated with the hostname "wiki.nixos.org" are excluded from any bans. Note that the loopback addresses "127.0.0.0/8" and "::1" are added by default. | ||
* <syntaxhighlight lang="nix" inline>bantime</syntaxhighlight> specifies for how much time an IP address is blocked after reaching the maximum number of failures. Note that the bantime can be increased for every violation by setting <syntaxhighlight lang="nix" inline>bantime-increment.enable = true;</syntaxhighlight>. The bantime increment can then be customized by specifying a formula (in Python) like <syntaxhighlight lang="python" inline>ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)</syntaxhighlight> with <syntaxhighlight lang="nix" inline>bantime-increment.formula</syntaxhighlight>, the multipliers with <syntaxhighlight lang="nix" inline>bantime-increment.multipliers</syntaxhighlight>, the maximum bantime with <syntaxhighlight lang="nix" inline>bantime-increment.maxtime</syntaxhighlight> and the indication to consider the bans issued throughout multiple jails with <syntaxhighlight lang="nix" inline>bantime-increment.overalljails</syntaxhighlight> | * <syntaxhighlight lang="nix" inline>bantime</syntaxhighlight> specifies for how much time an IP address is blocked after reaching the maximum number of failures. Note that the bantime can be increased for every violation by setting <syntaxhighlight lang="nix" inline>bantime-increment.enable = true;</syntaxhighlight>. The bantime increment can then be customized by specifying a formula (in Python) like <syntaxhighlight lang="python" inline>ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)</syntaxhighlight> with <syntaxhighlight lang="nix" inline>bantime-increment.formula</syntaxhighlight>, the multipliers with <syntaxhighlight lang="nix" inline>bantime-increment.multipliers</syntaxhighlight>, the maximum bantime with <syntaxhighlight lang="nix" inline>bantime-increment.maxtime</syntaxhighlight> and the indication to consider the bans issued throughout multiple jails with <syntaxhighlight lang="nix" inline>bantime-increment.overalljails</syntaxhighlight> | ||
* <syntaxhighlight lang="nix" inline>banaction</syntaxhighlight> specifies which of the actions in <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight> should be the default ban action (e.g., iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc.) | * <syntaxhighlight lang="nix" inline>banaction</syntaxhighlight> specifies which of the actions in <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight> should be the default ban action (e.g., iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc.) | ||
| Line 21: | Line 28: | ||
< | <syntaxhighlight lang="nix"> | ||
services.fail2ban = { | services.fail2ban = { | ||
enable = true; | enable = true; | ||
| Line 27: | Line 34: | ||
maxretry = 5; | maxretry = 5; | ||
ignoreIP = [ | ignoreIP = [ | ||
# | # Allow list for some subnets | ||
"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" | "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" | ||
"8.8.8.8" # | "8.8.8.8" # allow a specific IP | ||
"wiki.nixos.org" # resolve the IP via DNS | "wiki.nixos.org" # resolve the IP via DNS | ||
]; | ]; | ||
| Line 55: | Line 62: | ||
}; | }; | ||
}; | }; | ||
</ | </syntaxhighlight> | ||
These settings are written to <code>/etc/fail2ban/jail.local</code>, where fail2ban will read them. | These settings are written to <code>/etc/fail2ban/jail.local</code>, where fail2ban will read them. | ||
| Line 109: | Line 116: | ||
[[Category:Applications]] | [[Category:Applications]] | ||
[[Category:Server]] | |||
[[Category:Networking]] | |||