diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix index 3f81b43..db86d2a 100644 --- a/hosts/lazyworkhorse/configuration.nix +++ b/hosts/lazyworkhorse/configuration.nix @@ -357,47 +357,55 @@ services.fail2ban = { enable = true; maxretry = 3; - bantime = 3600; + bantime = "1h"; banaction = "iptables-multiport"; - # Ban repeat offenders for 1 week - recidive = { - enabled = true; - filter = "recidive"; - logpath = "/var/log/fail2ban.log"; - bantime = 604800; - findtime = 86400; - maxretry = 3; - }; - jails = { # SSH brute force protection (uses systemd journal backend) sshd = { enabled = true; filter = "sshd"; - port = "2424"; - maxretry = 3; - bantime = 3600; + settings = { + port = "2424"; + maxretry = 3; + bantime = "1h"; + }; + }; + + # Recidive - ban repeat offenders for 1 week + recidive = { + enabled = true; + filter = "recidive"; + settings = { + logpath = "/var/log/fail2ban.log"; + bantime = "1w"; + findtime = "1d"; + maxretry = 3; + }; }; # HTTP authentication failures (Traefik) http-auth = { enabled = true; filter = "traefik-auth"; - port = "80,443"; - logpath = "/var/log/traefik/access.log"; - maxretry = 5; - bantime = 3600; + settings = { + port = "80,443"; + logpath = "/var/log/traefik/access.log"; + maxretry = 5; + bantime = "1h"; + }; }; # HTTP scanning/attacks (Traefik) http-botsearch = { enabled = true; filter = "traefik-botsearch"; - port = "80,443"; - logpath = [ "/var/log/traefik/access.log" ]; - maxretry = 2; - bantime = 7200; + settings = { + port = "80,443"; + logpath = [ "/var/log/traefik/access.log" ]; + maxretry = 2; + bantime = "2h"; + }; }; }; };