cleslie/nixfiles
1
0
Fork 0
mirror of https://github.com/callumio/nixfiles.git synced 2025-12-17 11:39:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
nixfiles/hosts/hermes/fail2ban.nix
Callum Leslie c45c7f26a4
initial commit
2024-08-30 13:15:37 +01:00

106 lines
2.8 KiB
Nix
Raw Blame History

{pkgs, ...}: {
services.fail2ban = {
enable = true;
jails = {
sshd.settings = {enabled = false;};
radarr.settings = {
enabled = true;
filter = "arr";
action = ''
iptables-allports
'';
logpath = "/var/lib/radarr/.config/Radarr/logs/radarr.txt";
backend = "auto";
maxretry = 4;
bantime = "52w";
findtime = "52w";
chain = "FORWARD";
};
sonarr.settings = {
enabled = true;
filter = "arr";
action = ''
iptables-allports
'';
logpath = "/var/lib/sonarr/.config/NzbDrone/logs/sonarr.txt";
backend = "auto";
maxretry = 4;
bantime = "52w";
findtime = "52w";
chain = "FORWARD";
};
prowlarr.settings = {
enabled = true;
filter = "arr";
action = ''
iptables-allports
'';
logpath = "/var/lib/prowlarr/logs/prowlarr.txt";
backend = "auto";
maxretry = 4;
bantime = "52w";
findtime = "52w";
chain = "FORWARD";
};
jellyseerr.settings = {
enabled = true;
filter = "jellyseerr";
action = ''
iptables-allports
'';
logpath = "/var/lib/jellyseerr/logs/overseer*.log";
backend = "auto";
maxretry = 4;
bantime = "52w";
findtime = "52w";
chain = "FORWARD";
};
jellyfin.settings = {
enabled = true;
filter = "jellyfin";
action = ''
iptables-allports
'';
logpath = "/var/lib/jellyfin/log/log*.log";
backend = "auto";
maxretry = 4;
bantime = "52w";
findtime = "52w";
chain = "FORWARD";
};
};
};
environment.etc = {
"fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[INCLUDES]
before = common.conf
[Definition]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S\.%%f\|
failregex = ^\s*Warn\|Auth\|Auth-Failure ip <ADDR> username '<F-USER>[^']+</F-USER>'
ignoreregex =
'');
"fail2ban/filter.d/jellyseerr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*\[warn\]\[API\]: Failed sign-in attempt using invalid Overseerr password {"ip":"<HOST>","email":
^.*\[warn\]\[Auth\]: Failed login attempt from user with incorrect Jellyfin credentials {"account":{"ip":"<HOST>","email":
ignoreregex =
'');
"fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.
ignoreregex =
'');
};
}
Reference in a new issue View git blame Copy permalink