diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix index 6223c9c..d1c93e8 100644 --- a/hosts/lazyworkhorse/configuration.nix +++ b/hosts/lazyworkhorse/configuration.nix @@ -355,50 +355,55 @@ # Fail2ban - automatic IP banning services.fail2ban = { enable = true; - maxRetry = 3; - findtime = 600; - bantime = 3600; + maxretry = 3; + bantime = "1h"; banaction = "iptables-multiport"; - # Ban repeat offenders for 1 week - recidive = { - enabled = true; - filter = "recidive"; - logpath = "/var/log/fail2ban.log"; - bantime = 604800; - findtime = 86400; - maxretry = 3; - }; - jails = { + # Ban repeat offenders for 1 week + recidive = { + enabled = true; + filter = "recidive"; + settings = { + logpath = "/var/log/fail2ban.log"; + bantime = "1w"; + findtime = "1d"; + maxretry = 3; + }; + }; + # SSH brute force protection sshd = { enabled = true; - filter = "sshd"; - port = "2424"; - logpath = "/var/log/auth.log"; - maxretry = 3; - bantime = 3600; + settings = { + port = "2424"; + maxretry = 3; + bantime = "1h"; + }; }; # HTTP authentication failures http-auth = { enabled = true; filter = "apache-auth"; - port = "80,443"; - logpath = "/var/log/traefik/access.log"; - maxretry = 5; - bantime = 3600; + settings = { + port = "80,443"; + logpath = "/var/log/traefik/access.log"; + maxretry = 5; + bantime = "1h"; + }; }; # HTTP scanning/attacks http-botsearch = { enabled = true; filter = "apache-botsearch"; - port = "80,443"; - logpath = [ "/var/log/traefik/access.log" ]; - maxretry = 2; - bantime = 7200; + settings = { + port = "80,443"; + logpath = "/var/log/traefik/access.log"; + maxretry = 2; + bantime = "2h"; + }; }; }; };