hosts/lazyworkhorse/configuration.nix

@@ -372,30 +372,29 @@
     };
     
     jails = {
-      # SSH brute force protection
+      # SSH brute force protection (uses systemd journal backend)
       sshd = {
         enabled = true;
         filter = "sshd";
         port = "2424";
-        logpath = "/var/log/auth.log";
         maxretry = 3;
         bantime = 3600;
       };
       
-      # HTTP authentication failures
+      # HTTP authentication failures (Traefik)
       http-auth = {
         enabled = true;
-        filter = "apache-auth";
+        filter = "traefik-auth";
         port = "80,443";
         logpath = "/var/log/traefik/access.log";
         maxretry = 5;
         bantime = 3600;
       };
       
-      # HTTP scanning/attacks
+      # HTTP scanning/attacks (Traefik)
       http-botsearch = {
         enabled = true;
-        filter = "apache-botsearch";
+        filter = "traefik-botsearch";
         port = "80,443";
         logpath = [ "/var/log/traefik/access.log" ];
         maxretry = 2;
@@ -404,6 +403,20 @@
     };
   };
   
+  # Custom fail2ban filters for Traefik
+  environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
+    ignoreregex =
+  '';
+  
+  environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
+                ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
+    ignoreregex =
+  '';
+
   # SSH hardening
   services.openssh.settings = {
     PermitRootLogin = "no";