diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-15 18:36:45 +0200 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-16 10:03:43 +0200 |
| commit | 7c7bfa817a046e89e6cd73c0db7314fec4a8ff2b (patch) | |
| tree | 5b540f6cb646dfb10d787b0cef3470e8edb16605 /nixos | |
| parent | c8f261c72da273850f202280e423dbd1abb49fdb (diff) | |
| download | nixlib-7c7bfa817a046e89e6cd73c0db7314fec4a8ff2b.tar nixlib-7c7bfa817a046e89e6cd73c0db7314fec4a8ff2b.tar.gz nixlib-7c7bfa817a046e89e6cd73c0db7314fec4a8ff2b.tar.bz2 nixlib-7c7bfa817a046e89e6cd73c0db7314fec4a8ff2b.tar.lz nixlib-7c7bfa817a046e89e6cd73c0db7314fec4a8ff2b.tar.xz nixlib-7c7bfa817a046e89e6cd73c0db7314fec4a8ff2b.tar.zst nixlib-7c7bfa817a046e89e6cd73c0db7314fec4a8ff2b.zip | |
fail2ban: Update to 0.8.10
Also fix random start failures due to a race between the fail2ban server and the postStart script.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 56 |
1 files changed, 27 insertions, 29 deletions
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 2b2a54ef4097..395a5df8af07 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -10,7 +10,7 @@ let jailConf = pkgs.writeText "jail.conf" (concatStringsSep "\n" (attrValues (flip mapAttrs cfg.jails (name: def: - optionalString (def != "") + optionalString (def != "") '' [${name}] ${def} @@ -32,7 +32,8 @@ in [Definition] loglevel = 3 logtarget = SYSLOG - socket = /var/run/fail2ban/fail2ban.sock + socket = /run/fail2ban/fail2ban.sock + pidfile = /run/fail2ban/fail2ban.pid ''; type = types.string; description = @@ -71,56 +72,53 @@ in <filename>/etc/fail2ban/filter.d</filename>. ''; }; - + }; }; - + ###### implementation config = { environment.systemPackages = [ pkgs.fail2ban ]; - environment.etc = - [ { source = fail2banConf; - target = "fail2ban/fail2ban.conf"; - } - { source = jailConf; - target = "fail2ban/jail.conf"; - } - { source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf"; - target = "fail2ban/action.d"; - } - { source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf"; - target = "fail2ban/filter.d"; - } - ]; - - system.activationScripts.fail2ban = - '' - mkdir -p /var/run/fail2ban -m 0755 - ''; + environment.etc."fail2ban/fail2ban.conf".source = fail2banConf; + environment.etc."fail2ban/jail.conf".source = jailConf; + environment.etc."fail2ban/action.d".source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf"; + environment.etc."fail2ban/filter.d".source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf"; systemd.services.fail2ban = { description = "Fail2ban intrusion prevention system"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - + restartTriggers = [ fail2banConf jailConf ]; path = [ pkgs.fail2ban pkgs.iptables ]; - + + preStart = + '' + mkdir -p /run/fail2ban -m 0755 + ''; + serviceConfig = { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/var/run/fail2ban /var/tmp"; - CapabilityBoundingSet="CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; + ReadWriteDirectories = "/run/fail2ban /var/tmp"; + CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; postStart = '' + # Wait for the server to start listening. + for ((n = 0; n < 20; n++)); do + if fail2ban-client ping; then break; fi + sleep 0.5 + done + + # Reload its configuration. fail2ban-client reload ''; }; @@ -137,14 +135,14 @@ in ''; # Block SSH if there are too many failing connection attempts. - services.fail2ban.jails."ssh-iptables" = + services.fail2ban.jails.ssh-iptables = '' filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/warn maxretry = 5 ''; - + }; } |