NixOS/system/modules/openssh.nix

{ config, lib, ... }:
let
  cfg = config.profile.openssh;
in
{
  config = lib.mkIf cfg.enable {
    services.openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        UseDns = true;
        X11Forwarding = false;
        PermitRootLogin = "no";
      };
    };
    services.fail2ban = {
      enable = true;
      # Ban IP after 5 failures
      maxretry = 5;
      ignoreIP = [
        # Whitelist some subnets
        "10.0.0.0/8"
        "172.16.0.0/12"
        "192.168.0.0/16"
      ];
      bantime = "24h"; # Ban IPs for one day on the first ban
      bantime-increment = {
        enable = true; # Enable increment of bantime after each violation
        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
        multipliers = "1 2 4 8 16 32 64";
        maxtime = "168h"; # Do not ban for more than 1 week
        overalljails = true; # Calculate the bantime based on all the violations
      };
      jails = {
        apache-nohome-iptables.settings = {
          # Block an IP address if it accesses a non-existent
          # home directory more than 5 times in 10 minutes,
          # since that indicates that it's scanning.
          filter = "apache-nohome";
          action = ''iptables-multiport[name=HTTP, port="http,https"]'';
          logpath = "/var/log/httpd/error_log*";
          backend = "auto";
          findtime = 600;
          bantime = 600;
          maxretry = 5;
        };
      };
    };
  };
}
prepare for homeserver profile 2024-06-12 18:09:56 +07:00			`{ config, lib, ... }:`
			`let`
			`cfg = config.profile.openssh;`
			`in`
			`{`
			`config = lib.mkIf cfg.enable {`
			`services.openssh = {`
			`enable = true;`
			`settings = {`
			`PasswordAuthentication = false;`
			`UseDns = true;`
			`X11Forwarding = false;`
			`PermitRootLogin = "no";`
			`};`
			`};`
openssh: added fail2ban settings 2024-06-12 19:53:29 +07:00			`services.fail2ban = {`
			`enable = true;`
			`# Ban IP after 5 failures`
			`maxretry = 5;`
			`ignoreIP = [`
			`# Whitelist some subnets`
			`"10.0.0.0/8"`
			`"172.16.0.0/12"`
			`"192.168.0.0/16"`
			`];`
			`bantime = "24h"; # Ban IPs for one day on the first ban`
			`bantime-increment = {`
			`enable = true; # Enable increment of bantime after each violation`
			`formula = "ban.Time * math.exp(float(ban.Count+1)banFactor)/math.exp(1banFactor)";`
			`multipliers = "1 2 4 8 16 32 64";`
			`maxtime = "168h"; # Do not ban for more than 1 week`
			`overalljails = true; # Calculate the bantime based on all the violations`
			`};`
			`jails = {`
			`apache-nohome-iptables.settings = {`
			`# Block an IP address if it accesses a non-existent`
			`# home directory more than 5 times in 10 minutes,`
			`# since that indicates that it's scanning.`
			`filter = "apache-nohome";`
			`action = ''iptables-multiport[name=HTTP, port="http,https"]'';`
			`logpath = "/var/log/httpd/error_log*";`
			`backend = "auto";`
			`findtime = 600;`
			`bantime = 600;`
			`maxretry = 5;`
			`};`
			`};`
			`};`
prepare for homeserver profile 2024-06-12 18:09:56 +07:00			`};`
			`}`