added a fail2ban configuration for ssh

giving morpheus LUKS remote unlock capabilities
2025-12-16 14:32:45 +00:00 · 2025-11-05 17:50:20 +01:00 · 2025-11-05 17:38:46 +01:00
1 changed files with 23 additions and 0 deletions
--- a/nix/modules/security.nix
+++ b/nix/modules/security.nix
@@ -8,6 +8,7 @@
      PermitRootLogin = "no";                    # Disable root login
      PasswordAuthentication = false;            # Force SSH key auth only
      PubkeyAuthentication = true;               # Enable SSH keys
+      LogLevel = "VERBOSE";                      # More detailed logging, for fail2ban
    };
    ports = [ 22 ];
    # using the same key as for initrd
@@ -16,6 +17,27 @@
    ];
  };

+  services.fail2ban = {
+    enable = true;
+    maxretry = 5; # Ban IP after 5 failures
+    ignoreIP = [
+
+    ];
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 3 4 5 6 7"; # everytime one day more
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+    
+    # fail2ban ships with a default sshd jail, we override it here, to be explicit
+    jails.sshd.settings = {
+      port = 22; # explicit
+      maxretry = 5;
+    };
+  };
+
  # remote unlock for luks via ssh
  boot.kernelParams = [ "ip=dhcp" ];
  boot.initrd = {
@@ -27,6 +49,7 @@
        port = 22;
        authorizedKeys = [ 
          (builtins.readFile ../users/keys/neo.pub) 
+          (builtins.readFile ../users/keys/morpheus.pub) 
        ];
        hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
        shell = "/bin/cryptsetup-askpass";
Author	SHA1	Message	Date
Henrik	c31f778ac2	added a fail2ban configuration for ssh	2025-11-05 17:50:20 +01:00
Henrik	f224a79f30	giving morpheus LUKS remote unlock capabilities	2025-11-05 17:38:46 +01:00