* Basic module for fail2ban. Not configurable yet. It currently

blocks IP addresses if they make too many failed login attempts. svn path=/nixos/trunk/; revision=34149
2012-05-17 02:51:24 +00:00 · 2012-05-17 02:51:24 +00:00 · 3ce8859551
commit 3ce8859551
parent a9a507eede
2 changed files with 89 additions and 1 deletions
--- a/modules/services/security/fail2ban.nix
+++ b/modules/services/security/fail2ban.nix
@ -0,0 +1,88 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+
+  fail2banConf = pkgs.writeText "fail2ban.conf"
+    ''
+      [Definition]
+      loglevel  = 3
+      logtarget = SYSLOG
+      socket    = /var/run/fail2ban/fail2ban.sock
+    '';
+
+  jailConf = pkgs.writeText "jail.conf"
+    ''
+      [DEFAULT]
+      bantime  = 120
+      findtime = 120
+      maxretry = 3
+      backend  = auto
+    
+      [ssh-iptables]
+      enabled  = true
+      filter   = sshd
+      action   = iptables[name=SSH, port=ssh, protocol=tcp]
+      logpath  = /var/log/warn
+      maxretry = 5
+    '';
+
+in
+    
+{
+
+  ###### interface
+
+  options = {
+
+  };
+
+  
+  ###### implementation
+
+  config = {
+
+    environment.systemPackages = [ pkgs.fail2ban ];
+
+    environment.etc =
+      [ { source = fail2banConf;
+          target = "fail2ban/fail2ban.conf";
+        }
+        { source = jailConf;
+          target = "fail2ban/jail.conf";
+        }
+        { source = "${pkgs.fail2ban}/etc/fail2ban/action.d";
+          target = "fail2ban/action.d";
+        }
+        { source = "${pkgs.fail2ban}/etc/fail2ban/filter.d";
+          target = "fail2ban/filter.d";
+        }
+      ];
+
+    jobs.fail2ban =
+      { description = "Fail2ban intrusion prevention system";
+      
+        startOn = "started networking";
+        
+        path = [ pkgs.fail2ban pkgs.iptables ];
+        
+        preStart =
+          ''
+            # ${fail2banConf} ${jailConf}
+            mkdir -p /var/run/fail2ban -m 0755
+          '';
+          
+        exec = "fail2ban-server -f";
+
+        postStart =
+          ''
+            fail2ban-client reload
+          '';
+        
+        respawn = false;
+      };
+  
+  };
+
+}
--- a/modules/tasks/network-interfaces.nix
+++ b/modules/tasks/network-interfaces.nix
@ -274,7 +274,7 @@ in

    jobs.networking = {
      name = "networking";
-      description = "all required interfaces are up";
+      description = "All required interfaces are up";
      startOn = "started network-interfaces";
      stopOn  = "stopping network-interfaces";
      task = true;