diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/security/fail2ban.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/security/fail2ban.nix | 147 |
1 files changed, 90 insertions, 57 deletions
diff --git a/nixpkgs/nixos/modules/services/security/fail2ban.nix b/nixpkgs/nixos/modules/services/security/fail2ban.nix index 24c84151bc78..eebf2a2f7b55 100644 --- a/nixpkgs/nixos/modules/services/security/fail2ban.nix +++ b/nixpkgs/nixos/modules/services/security/fail2ban.nix @@ -62,23 +62,29 @@ in }; packageFirewall = mkOption { - default = pkgs.iptables; - defaultText = literalExpression "pkgs.iptables"; + default = config.networking.firewall.package; + defaultText = literalExpression "config.networking.firewall.package"; type = types.package; - example = literalExpression "pkgs.nftables"; - description = lib.mdDoc "The firewall package used by fail2ban service."; + description = lib.mdDoc "The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables)."; }; extraPackages = mkOption { default = []; type = types.listOf types.package; example = lib.literalExpression "[ pkgs.ipset ]"; - description = '' + description = lib.mdDoc '' Extra packages to be made available to the fail2ban service. The example contains the packages needed by the `iptables-ipset-proto6` action. ''; }; + bantime = mkOption { + default = null; + type = types.nullOr types.str; + example = "10m"; + description = lib.mdDoc "Number of seconds that a host is banned."; + }; + maxretry = mkOption { default = 3; type = types.ints.unsigned; @@ -86,23 +92,24 @@ in }; banaction = mkOption { - default = "iptables-multiport"; + default = if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"; + defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"''; type = types.str; - example = "nftables-multiport"; description = lib.mdDoc '' Default banning action (e.g. iptables, iptables-new, iptables-multiport, - shorewall, etc) It is used to define action_* variables. Can be overridden - globally or per section within jail.local file + iptables-ipset-proto6-allports, shorewall, etc). It is used to + define action_* variables. Can be overridden globally or per + section within jail.local file ''; }; banaction-allports = mkOption { - default = "iptables-allport"; + default = if config.networking.nftables.enable then "nftables-allport" else "iptables-allport"; + defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-allport" else "iptables-allport"''; type = types.str; - example = "nftables-allport"; description = lib.mdDoc '' Default banning action (e.g. iptables, iptables-new, iptables-multiport, - shorewall, etc) It is used to define action_* variables. Can be overridden + shorewall, etc) for "allports" jails. It is used to define action_* variables. Can be overridden globally or per section within jail.local file ''; }; @@ -111,56 +118,56 @@ in default = false; type = types.bool; description = lib.mdDoc '' - Allows to use database for searching of previously banned ip's to increase - a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... + "bantime.increment" allows to use database for searching of previously banned ip's to increase + a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32 ... ''; }; bantime-increment.rndtime = mkOption { - default = "4m"; - type = types.str; + default = null; + type = types.nullOr types.str; example = "8m"; description = lib.mdDoc '' - "bantime-increment.rndtime" is the max number of seconds using for mixing with random time + "bantime.rndtime" is the max number of seconds using for mixing with random time to prevent "clever" botnets calculate exact time IP can be unbanned again ''; }; bantime-increment.maxtime = mkOption { - default = "10h"; - type = types.str; + default = null; + type = types.nullOr types.str; example = "48h"; description = lib.mdDoc '' - "bantime-increment.maxtime" is the max number of seconds using the ban time can reach (don't grows further) + "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further) ''; }; bantime-increment.factor = mkOption { - default = "1"; - type = types.str; + default = null; + type = types.nullOr types.str; example = "4"; description = lib.mdDoc '' - "bantime-increment.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, + "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, default value of factor is 1 and with default value of formula, the ban time grows by 1, 2, 4, 8, 16 ... ''; }; bantime-increment.formula = mkOption { - default = "ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor"; - type = types.str; + default = null; + type = types.nullOr types.str; example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; description = lib.mdDoc '' - "bantime-increment.formula" used by default to calculate next value of ban time, default value bellow, - the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... + "bantime.formula" used by default to calculate next value of ban time, default value bellow, + the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32 ... ''; }; bantime-increment.multipliers = mkOption { - default = "1 2 4 8 16 32 64"; - type = types.str; - example = "2 4 16 128"; + default = null; + type = types.nullOr types.str; + example = "1 2 4 8 16 32 64"; description = lib.mdDoc '' - "bantime-increment.multipliers" used to calculate next value of ban time instead of formula, coresponding + "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding previously ban count and given "bantime.factor" (for multipliers default is 1); following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours @@ -168,12 +175,12 @@ in }; bantime-increment.overalljails = mkOption { - default = false; - type = types.bool; + default = null; + type = types.nullOr types.bool; example = true; description = lib.mdDoc '' - "bantime-increment.overalljails" (if true) specifies the search of IP in the database will be executed - cross over all jails, if false (dafault), only current jail of the ban IP will be searched + "bantime.overalljails" (if true) specifies the search of IP in the database will be executed + cross over all jails, if false (default), only current jail of the ban IP will be searched ''; }; @@ -202,6 +209,20 @@ in ''; }; + extraSettings = mkOption { + type = with types; attrsOf (oneOf [ bool ints.positive str ]); + default = {}; + description = lib.mdDoc '' + Extra default configuration for all jails (i.e. `[DEFAULT]`). See + <https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf> for an overview. + ''; + example = literalExpression '' + { + findtime = "15m"; + } + ''; + }; + jails = mkOption { default = { }; example = literalExpression '' @@ -212,10 +233,18 @@ in filter = apache-nohome action = iptables-multiport[name=HTTP, port="http,https"] logpath = /var/log/httpd/error_log* + backend = auto findtime = 600 bantime = 600 maxretry = 5 '''; + dovecot = ''' + # block IPs which failed to log-in + # aggressive mode add blocking for aborted connections + enabled = true + filter = dovecot[mode=aggressive] + maxretry = 3 + '''; } ''; type = types.attrsOf types.lines; @@ -247,8 +276,16 @@ in ###### implementation config = mkIf cfg.enable { + assertions = [ + { + assertion = (cfg.bantime-increment.formula == null || cfg.bantime-increment.multipliers == null); + message = '' + Options `services.fail2ban.bantime-increment.formula` and `services.fail2ban.bantime-increment.multipliers` cannot be both specified. + ''; + } + ]; - warnings = mkIf (config.networking.firewall.enable == false && config.networking.nftables.enable == false) [ + warnings = mkIf (!config.networking.firewall.enable && !config.networking.nftables.enable) [ "fail2ban can not be used without a firewall" ]; @@ -265,26 +302,16 @@ in "fail2ban/filter.d".source = "${cfg.package}/etc/fail2ban/filter.d/*.conf"; }; + systemd.packages = [ cfg.package ]; systemd.services.fail2ban = { - description = "Fail2ban Intrusion Prevention System"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ fail2banConf jailConf pathsConf ]; path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages; - unitConfig.Documentation = "man:fail2ban(1)"; - serviceConfig = { - ExecStart = "${cfg.package}/bin/fail2ban-server -xf start"; - ExecStop = "${cfg.package}/bin/fail2ban-server stop"; - ExecReload = "${cfg.package}/bin/fail2ban-server reload"; - Type = "simple"; - Restart = "on-failure"; - PIDFile = "/run/fail2ban/fail2ban.pid"; # Capabilities CapabilityBoundingSet = [ "CAP_AUDIT_READ" "CAP_DAC_READ_SEARCH" "CAP_NET_ADMIN" "CAP_NET_RAW" ]; # Security @@ -311,27 +338,33 @@ in # Add some reasonable default jails. The special "DEFAULT" jail # sets default values for all other jails. services.fail2ban.jails.DEFAULT = '' - ${optionalString cfg.bantime-increment.enable '' - # Bantime incremental - bantime.increment = ${boolToString cfg.bantime-increment.enable} - bantime.maxtime = ${cfg.bantime-increment.maxtime} - bantime.factor = ${cfg.bantime-increment.factor} - bantime.formula = ${cfg.bantime-increment.formula} - bantime.multipliers = ${cfg.bantime-increment.multipliers} - bantime.overalljails = ${boolToString cfg.bantime-increment.overalljails} - ''} + # Bantime increment options + bantime.increment = ${boolToString cfg.bantime-increment.enable} + ${optionalString (cfg.bantime-increment.rndtime != null) "bantime.rndtime = ${cfg.bantime-increment.rndtime}"} + ${optionalString (cfg.bantime-increment.maxtime != null) "bantime.maxtime = ${cfg.bantime-increment.maxtime}"} + ${optionalString (cfg.bantime-increment.factor != null) "bantime.factor = ${cfg.bantime-increment.factor}"} + ${optionalString (cfg.bantime-increment.formula != null) "bantime.formula = ${cfg.bantime-increment.formula}"} + ${optionalString (cfg.bantime-increment.multipliers != null) "bantime.multipliers = ${cfg.bantime-increment.multipliers}"} + ${optionalString (cfg.bantime-increment.overalljails != null) "bantime.overalljails = ${boolToString cfg.bantime-increment.overalljails}"} # Miscellaneous options ignoreip = 127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP} + ${optionalString (cfg.bantime != null) '' + bantime = ${cfg.bantime} + ''} maxretry = ${toString cfg.maxretry} backend = systemd # Actions banaction = ${cfg.banaction} banaction_allports = ${cfg.banaction-allports} + ${optionalString (cfg.extraSettings != {}) '' + # Extra settings + ${generators.toKeyValue {} cfg.extraSettings} + ''} ''; # Block SSH if there are too many failing connection attempts. # Benefits from verbose sshd logging to observe failed login attempts, # so we set that here unless the user overrode it. - services.openssh.logLevel = lib.mkDefault "VERBOSE"; + services.openssh.settings.LogLevel = lib.mkDefault "VERBOSE"; services.fail2ban.jails.sshd = mkDefault '' enabled = true port = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports} |