From 65fa778b2bc71ad77d2aa2b31719e240f350ddcf Mon Sep 17 00:00:00 2001 From: Hermes Agent Date: Fri, 1 May 2026 03:03:08 +0000 Subject: [PATCH] fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails --- hosts/lazyworkhorse/configuration.nix | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix index 9485442..1904449 100644 --- a/hosts/lazyworkhorse/configuration.nix +++ b/hosts/lazyworkhorse/configuration.nix @@ -372,30 +372,29 @@ }; jails = { - # SSH brute force protection + # SSH brute force protection (uses systemd journal backend) sshd = { enabled = true; filter = "sshd"; port = "2424"; - logpath = "/var/log/auth.log"; maxretry = 3; bantime = 3600; }; - # HTTP authentication failures + # HTTP authentication failures (Traefik) http-auth = { enabled = true; - filter = "apache-auth"; + filter = "traefik-auth"; port = "80,443"; logpath = "/var/log/traefik/access.log"; maxretry = 5; bantime = 3600; }; - # HTTP scanning/attacks + # HTTP scanning/attacks (Traefik) http-botsearch = { enabled = true; - filter = "apache-botsearch"; + filter = "traefik-botsearch"; port = "80,443"; logpath = [ "/var/log/traefik/access.log" ]; maxretry = 2; @@ -403,6 +402,20 @@ }; }; }; + + # Custom fail2ban filters for Traefik + environment.etc."fail2ban/filter.d/traefik-auth.conf".text = '' + [Definition] + failregex = ^ -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$ + ignoreregex = + ''; + + environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = '' + [Definition] + failregex = ^ -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$ + ^ -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$ + ignoreregex = + ''; # SSH hardening services.openssh.settings = {