Fail2ban: Difference between revisions

Line 22:

* The <syntaxhighlight lang="nix" inline>maxretry</syntaxhighlight> option allows you to specify how many failures are required for an IP address to be blocked.

* To prevent being locked out accidentally, use <syntaxhighlight lang="nix" inline>ignoreIP</syntaxhighlight> to ~~whitelist IPs~~ or IP ranges to be never ~~cheked~~. In the example below, common LAN IP address ranges as well as the specific IP '8.8.8.8' and the address associated with the hostname "wiki.nixos.org" are excluded from any bans. Note that the loopback addresses "127.0.0.0/8" and "::1" are added by default.

* To prevent being locked out accidentally, use <syntaxhighlight lang="nix" inline>ignoreIP</syntaxhighlight> to define IP allow lists or IP ranges to be never checked. In the example below, common LAN IP address ranges as well as the specific IP '8.8.8.8' and the address associated with the hostname "wiki.nixos.org" are excluded from any bans. Note that the loopback addresses "127.0.0.0/8" and "::1" are added by default.

* <syntaxhighlight lang="nix" inline>bantime</syntaxhighlight> specifies for how much time an IP address is blocked after reaching the maximum number of failures. Note that the bantime can be increased for every violation by setting <syntaxhighlight lang="nix" inline>bantime-increment.enable = true;</syntaxhighlight>. The bantime increment can then be customized by specifying a formula (in Python) like <syntaxhighlight lang="python" inline>ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)</syntaxhighlight> with <syntaxhighlight lang="nix" inline>bantime-increment.formula</syntaxhighlight>, the multipliers with <syntaxhighlight lang="nix" inline>bantime-increment.multipliers</syntaxhighlight>, the maximum bantime with <syntaxhighlight lang="nix" inline>bantime-increment.maxtime</syntaxhighlight> and the indication to consider the bans issued throughout multiple jails with <syntaxhighlight lang="nix" inline>bantime-increment.overalljails</syntaxhighlight>

* <syntaxhighlight lang="nix" inline>banaction</syntaxhighlight> specifies which of the actions in <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight> should be the default ban action (e.g., iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc.)

Line 28:

<~~syntaxHighlight~~ lang=nix>

services.fail2ban = {

enable = true;

Line 34:

maxretry = 5;

ignoreIP = [

# ~~Whitelist~~ some subnets

# Allow list for some subnets

"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"

"8.8.8.8" # ~~whitelist~~ a specific IP

"8.8.8.8" # allow a specific IP

"wiki.nixos.org" # resolve the IP via DNS

];

Line 62:

};

</~~syntaxHighlight~~>

</syntaxhighlight>

These settings are written to <code>/etc/fail2ban/jail.local</code>, where fail2ban will read them.

@@ Line 22: / Line 22: @@
 * The <syntaxhighlight lang="nix" inline>maxretry</syntaxhighlight> option allows you to specify how many failures are required for an IP address to be blocked.
-* To prevent being locked out accidentally, use <syntaxhighlight lang="nix" inline>ignoreIP</syntaxhighlight> to whitelist IPs or IP ranges to be never cheked. In the example below, common LAN IP address ranges as well as the specific IP '8.8.8.8' and the address associated with the hostname "wiki.nixos.org" are excluded from any bans. Note that the loopback addresses "127.0.0.0/8" and "::1" are added by default.
+* To prevent being locked out accidentally, use <syntaxhighlight lang="nix" inline>ignoreIP</syntaxhighlight> to define IP allow lists or IP ranges to be never checked. In the example below, common LAN IP address ranges as well as the specific IP '8.8.8.8' and the address associated with the hostname "wiki.nixos.org" are excluded from any bans. Note that the loopback addresses "127.0.0.0/8" and "::1" are added by default.
 * <syntaxhighlight lang="nix" inline>bantime</syntaxhighlight> specifies for how much time an IP address is blocked after reaching the maximum number of failures. Note that the bantime can be increased for every violation by setting <syntaxhighlight lang="nix" inline>bantime-increment.enable = true;</syntaxhighlight>. The bantime increment can then be customized by specifying a formula (in Python) like <syntaxhighlight lang="python" inline>ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)</syntaxhighlight> with <syntaxhighlight lang="nix" inline>bantime-increment.formula</syntaxhighlight>, the multipliers with <syntaxhighlight lang="nix" inline>bantime-increment.multipliers</syntaxhighlight>, the maximum bantime with <syntaxhighlight lang="nix" inline>bantime-increment.maxtime</syntaxhighlight> and the indication to consider the bans issued throughout multiple jails with <syntaxhighlight lang="nix" inline>bantime-increment.overalljails</syntaxhighlight>
 * <syntaxhighlight lang="nix" inline>banaction</syntaxhighlight> specifies which of the actions in <syntaxhighlight lang="nix" inline>/etc/fail2ban/action.d</syntaxhighlight> should be the default ban action (e.g., iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc.)
@@ Line 28: / Line 28: @@
-<syntaxHighlight lang=nix>
+<syntaxhighlight lang="nix">
    services.fail2ban = {
      enable = true;
@@ Line 34: / Line 34: @@
      maxretry = 5;
      ignoreIP = [
-       # Whitelist some subnets
+       # Allow list for some subnets
        "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
-       "8.8.8.8" # whitelist a specific IP
+       "8.8.8.8" # allow a specific IP
        "wiki.nixos.org" # resolve the IP via DNS
      ];
@@ Line 62: / Line 62: @@
      };
    };
-</syntaxHighlight>
+</syntaxhighlight>
 These settings are written to <code>/etc/fail2ban/jail.local</code>, where fail2ban will read them.