gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity

security: harden server with firewall, fail2ban, and SSH protections #30

Closed
Hermes wants to merge 9 commits from feature/server-hardening into master
pull from: feature/server-hardening
merge into: gortium:master
Conversation 0 Commits 9 Files Changed 9 +830 -1
7 changed files with 830 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit ceaf470f8a - Show all commits

25
hosts/lazyworkhorse/configuration.nix
View File

@@ -372,30 +372,29 @@
}; };
jails = { jails = {
# SSH brute force protection # SSH brute force protection (uses systemd journal backend)
sshd = { sshd = {
enabled = true; enabled = true;
filter = "sshd"; filter = "sshd";
port = "2424"; port = "2424";
logpath = "/var/log/auth.log";
maxretry = 3; maxretry = 3;
bantime = 3600; bantime = 3600;
}; };
# HTTP authentication failures # HTTP authentication failures (Traefik)
http-auth = { http-auth = {
enabled = true; enabled = true;
filter = "apache-auth"; filter = "traefik-auth";
port = "80,443"; port = "80,443";
logpath = "/var/log/traefik/access.log"; logpath = "/var/log/traefik/access.log";
maxretry = 5; maxretry = 5;
bantime = 3600; bantime = 3600;
}; };
# HTTP scanning/attacks # HTTP scanning/attacks (Traefik)
http-botsearch = { http-botsearch = {
enabled = true; enabled = true;
filter = "apache-botsearch"; filter = "traefik-botsearch";
port = "80,443"; port = "80,443";
logpath = [ "/var/log/traefik/access.log" ]; logpath = [ "/var/log/traefik/access.log" ];
maxretry = 2; maxretry = 2;
@@ -403,6 +402,20 @@
}; };
}; };
}; };
# Custom fail2ban filters for Traefik
environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
ignoreregex =
'';
environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
ignoreregex =
'';
# SSH hardening # SSH hardening
services.openssh.settings = { services.openssh.settings = {