added a fail2ban configuration for ssh

2025-11-07 03:12:45 +00:00 · 2025-11-05 17:50:20 +01:00
parent f224a79f30
commit c31f778ac2
1 changed files with 22 additions and 0 deletions
--- a/nix/modules/security.nix
+++ b/nix/modules/security.nix
@@ -8,6 +8,7 @@
      PermitRootLogin = "no";                    # Disable root login
      PasswordAuthentication = false;            # Force SSH key auth only
      PubkeyAuthentication = true;               # Enable SSH keys
+      LogLevel = "VERBOSE";                      # More detailed logging, for fail2ban
    };
    ports = [ 22 ];
    # using the same key as for initrd
@@ -16,6 +17,27 @@
    ];
  };

+  services.fail2ban = {
+    enable = true;
+    maxretry = 5; # Ban IP after 5 failures
+    ignoreIP = [
+
+    ];
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 3 4 5 6 7"; # everytime one day more
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+    
+    # fail2ban ships with a default sshd jail, we override it here, to be explicit
+    jails.sshd.settings = {
+      port = 22; # explicit
+      maxretry = 5;
+    };
+  };
+
  # remote unlock for luks via ssh
  boot.kernelParams = [ "ip=dhcp" ];
  boot.initrd = {