Compare commits
3 Commits
feat/herme
...
8bdd0e352a
| Author | SHA1 | Date | |
|---|---|---|---|
| 8bdd0e352a | |||
| 9291d83870 | |||
| 6999d50f35 |
@@ -316,7 +316,6 @@
|
|||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowPing = true;
|
allowPing = true;
|
||||||
defaultAllow = false;
|
|
||||||
|
|
||||||
# Only essential ports exposed to internet
|
# Only essential ports exposed to internet
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [
|
||||||
@@ -356,50 +355,55 @@
|
|||||||
# Fail2ban - automatic IP banning
|
# Fail2ban - automatic IP banning
|
||||||
services.fail2ban = {
|
services.fail2ban = {
|
||||||
enable = true;
|
enable = true;
|
||||||
maxRetry = 3;
|
maxretry = 3;
|
||||||
findtime = 600;
|
bantime = "1h";
|
||||||
bantime = 3600;
|
|
||||||
banaction = "iptables-multiport";
|
banaction = "iptables-multiport";
|
||||||
|
|
||||||
|
jails = {
|
||||||
# Ban repeat offenders for 1 week
|
# Ban repeat offenders for 1 week
|
||||||
recidive = {
|
recidive = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
filter = "recidive";
|
filter = "recidive";
|
||||||
|
settings = {
|
||||||
logpath = "/var/log/fail2ban.log";
|
logpath = "/var/log/fail2ban.log";
|
||||||
bantime = 604800;
|
bantime = "1w";
|
||||||
findtime = 86400;
|
findtime = "1d";
|
||||||
maxretry = 3;
|
maxretry = 3;
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
jails = {
|
|
||||||
# SSH brute force protection
|
# SSH brute force protection
|
||||||
sshd = {
|
sshd = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
filter = "sshd";
|
settings = {
|
||||||
port = "2424";
|
port = "2424";
|
||||||
logpath = "/var/log/auth.log";
|
|
||||||
maxretry = 3;
|
maxretry = 3;
|
||||||
bantime = 3600;
|
bantime = "1h";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# HTTP authentication failures
|
# HTTP authentication failures
|
||||||
http-auth = {
|
http-auth = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
filter = "apache-auth";
|
filter = "apache-auth";
|
||||||
|
settings = {
|
||||||
port = "80,443";
|
port = "80,443";
|
||||||
logpath = "/var/log/traefik/access.log";
|
logpath = "/var/log/traefik/access.log";
|
||||||
maxretry = 5;
|
maxretry = 5;
|
||||||
bantime = 3600;
|
bantime = "1h";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# HTTP scanning/attacks
|
# HTTP scanning/attacks
|
||||||
http-botsearch = {
|
http-botsearch = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
filter = "apache-botsearch";
|
filter = "apache-botsearch";
|
||||||
|
settings = {
|
||||||
port = "80,443";
|
port = "80,443";
|
||||||
logpath = [ "/var/log/traefik/access.log" ];
|
logpath = "/var/log/traefik/access.log";
|
||||||
maxretry = 2;
|
maxretry = 2;
|
||||||
bantime = 7200;
|
bantime = "2h";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@@ -470,7 +474,7 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
# Audit logging
|
# Audit logging
|
||||||
services.auditd.enable = true;
|
security.audit.enable = true;
|
||||||
|
|
||||||
# Fail2ban log directory
|
# Fail2ban log directory
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
|
|||||||
Reference in New Issue
Block a user