openssh: added fail2ban settings
This commit is contained in:
parent
79ed7d929b
commit
ec7e115b54
|
@ -13,5 +13,38 @@ in
|
||||||
PermitRootLogin = "no";
|
PermitRootLogin = "no";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
services.fail2ban = {
|
||||||
|
enable = true;
|
||||||
|
# Ban IP after 5 failures
|
||||||
|
maxretry = 5;
|
||||||
|
ignoreIP = [
|
||||||
|
# Whitelist some subnets
|
||||||
|
"10.0.0.0/8"
|
||||||
|
"172.16.0.0/12"
|
||||||
|
"192.168.0.0/16"
|
||||||
|
];
|
||||||
|
bantime = "24h"; # Ban IPs for one day on the first ban
|
||||||
|
bantime-increment = {
|
||||||
|
enable = true; # Enable increment of bantime after each violation
|
||||||
|
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
|
||||||
|
multipliers = "1 2 4 8 16 32 64";
|
||||||
|
maxtime = "168h"; # Do not ban for more than 1 week
|
||||||
|
overalljails = true; # Calculate the bantime based on all the violations
|
||||||
|
};
|
||||||
|
jails = {
|
||||||
|
apache-nohome-iptables.settings = {
|
||||||
|
# Block an IP address if it accesses a non-existent
|
||||||
|
# home directory more than 5 times in 10 minutes,
|
||||||
|
# since that indicates that it's scanning.
|
||||||
|
filter = "apache-nohome";
|
||||||
|
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
|
||||||
|
logpath = "/var/log/httpd/error_log*";
|
||||||
|
backend = "auto";
|
||||||
|
findtime = 600;
|
||||||
|
bantime = 600;
|
||||||
|
maxretry = 5;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue