From c218a9f2cf2c350e5f7456326898de2c67679cce Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sun, 22 Sep 2024 00:43:17 +0200 Subject: [PATCH 1/3] nixos: services: mealie: add fail2ban jail --- modules/nixos/services/mealie/default.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/modules/nixos/services/mealie/default.nix b/modules/nixos/services/mealie/default.nix index 96b9e14..6d59109 100644 --- a/modules/nixos/services/mealie/default.nix +++ b/modules/nixos/services/mealie/default.nix @@ -71,5 +71,21 @@ in }; }; }; + + services.fail2ban.jails = { + mealie = '' + enabled = true + filter = mealie + port = http,https + ''; + }; + + environment.etc = { + "fail2ban/filter.d/mealie.conf".text = '' + [Definition] + failregex = ^ERROR.*Incorrect username or password from + journalmatch = _SYSTEMD_UNIT=mealie.service + ''; + }; }; } From 22f0c2bfb4aa14d8a4ed82e7c787337af40321d9 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sun, 22 Sep 2024 01:10:52 +0200 Subject: [PATCH 2/3] nixos: services: audiobookshelf: add fail2ban jail --- .../nixos/services/audiobookshelf/default.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/modules/nixos/services/audiobookshelf/default.nix b/modules/nixos/services/audiobookshelf/default.nix index 8c9719d..3f16423 100644 --- a/modules/nixos/services/audiobookshelf/default.nix +++ b/modules/nixos/services/audiobookshelf/default.nix @@ -35,5 +35,21 @@ in }; }; }; + + services.fail2ban.jails = { + audiobookshelf = '' + enabled = true + filter = audiobookshelf + port = http,https + ''; + }; + + environment.etc = { + "fail2ban/filter.d/audiobookshelf.conf".text = '' + [Definition] + failregex = ERROR: \[Auth\] Failed login attempt for username ".*" from ip + journalmatch = _SYSTEMD_UNIT=audiobookshelf.service + ''; + }; }; } From 7922fc01968f1af41194c62ae25671ee6b15e3a9 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sun, 22 Sep 2024 01:26:06 +0200 Subject: [PATCH 3/3] nixos: services: nextcloud: add fail2ban jail --- modules/nixos/services/nextcloud/default.nix | 21 ++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index bb3169a..e0795e8 100644 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -87,5 +87,26 @@ in "${config.services.nextcloud.home}/data/appdata_*/preview" ]; }; + + services.fail2ban.jails = { + nextcloud = '' + enabled = true + filter = nextcloud + port = http,https + ''; + }; + + environment.etc = { + "fail2ban/filter.d/nextcloud.conf".text = '' + [Definition] + _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) + datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" + failregex = \{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + \{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. + \{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Two-factor challenge failed: + journalmatch = _SYSTEMD_UNIT=phpfpm-nextcloud.service + ''; + }; + }; }