fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails

2026-05-01 03:03:08 +00:00
parent 5d3bbe99f3
commit 65fa778b2b
1 changed files with 19 additions and 6 deletions
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -372,30 +372,29 @@
    };
    
    jails = {
-      # SSH brute force protection
+      # SSH brute force protection (uses systemd journal backend)
      sshd = {
        enabled = true;
        filter = "sshd";
        port = "2424";
-        logpath = "/var/log/auth.log";
        maxretry = 3;
        bantime = 3600;
      };
      
-      # HTTP authentication failures
+      # HTTP authentication failures (Traefik)
      http-auth = {
        enabled = true;
-        filter = "apache-auth";
+        filter = "traefik-auth";
        port = "80,443";
        logpath = "/var/log/traefik/access.log";
        maxretry = 5;
        bantime = 3600;
      };
      
-      # HTTP scanning/attacks
+      # HTTP scanning/attacks (Traefik)
      http-botsearch = {
        enabled = true;
-        filter = "apache-botsearch";
+        filter = "traefik-botsearch";
        port = "80,443";
        logpath = [ "/var/log/traefik/access.log" ];
        maxretry = 2;
@@ -404,6 +403,20 @@
    };
  };
  
+  # Custom fail2ban filters for Traefik
+  environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
+    ignoreregex =
+  '';
+  
+  environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
+                ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
+    ignoreregex =
+  '';
+
  # SSH hardening
  services.openssh.settings = {
    PermitRootLogin = "no";