Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / a3f5664084389b41f9048afbf3f69dccfdfa4a31 / . / modules / fail2ban.nix
blob: 5368094c1197fa5604432aa5507830a6cfacc280 [file] [log] [blame]
Skyler Greycf259f22023-05-01 21:34:36 +0000[diff] [blame]1{ config, ... }: {
2 services.fail2ban = {
3 enable = true;
4 jails = {
5 mailu-auth-fail = ''
6 enabled = true
7 backend = systemd
8 filter = mailu-auth-fail
9 bantime = 604800
10 findtime = 600
11 maxretry = 5
12 '';
13 mailu-auth-limit = ''
14 enabled = true
15 backend = systemd
16 filter = mailu-auth-limit
17 bantime = 604800
18 findtime = 900
19 maxretry = 15
20 '';
21 samba = ''
22 filter=samba-filter
23 enabled=true
24 logpath=/var/log/messages
25 maxretry=1
26 findtime=600
27 bantime=2592000
28 '';
29 };
30 banaction-allports = "iptables-allports";
31 banaction = config.services.fail2ban.banaction-allports;
Skyler Grey2b0723b2023-06-06 23:47:00 +0200[diff] [blame]32 bantime = "24h";
33 bantime-increment = {
34 enable = true;
35 rndtime = "1h";
36 overalljails = true;
37 factor = "24";
38 };
Skyler Greycf259f22023-05-01 21:34:36 +0000[diff] [blame]39 };
40 environment.etc = {
41 "fail2ban/filter.d/mailu-auth-fail.conf".text = ''
42 [Definition]
43 failregex = ^\s?\S+ mailu\-front\[\d+\]: \S+ \S+ \[info\] \d+#\d+: \*\d+ client login failed: \"AUTH not supported\" while in http auth state, client: <HOST>, server:
44 ignoreregex =
45 journalmatch = CONTAINER_TAG=mailu-front
46 '';
47
48 "fail2ban/filter.d/mailu-auth-limit.conf".text = ''
49 [Definition]
50 failregex = : Authentication attempt from <HOST> has been rate-limited\.$
51 ignoreregex =
52 journalmatch = CONTAINER_TAG=mailu-admin
53 '';
54
55 "fail2ban/filter.d/samba-filter.conf".text = ''
56 [Definition]
57 # Honeypot file regex. The files in the honeypot folder MUST match this regex
58 __honeypot_files_re=(-sync-decrypted\.)
59
60 # Known ransomware extensions regex
61 __known_ransom_extensions_re=(\.k$|\.encoderpass$|\.key$|\.ecc$|\.ezz$|\.exx$|\.zzz$|\.xyz$|\.aaa$|\.abc$|\.ccc$|\.vvv$|\.xxx$|\.ttt$|\.micro$|\.encrypted$|\.locked$|\.crypto$|_crypt$|\.crinf$|\.r5a$|\.xrtn$|\.XTBL$|\.crypt$|\.R16M01D05$|\.pzdc$|\.good$|\.LOL\!$|\.OMG\!$|\.RDM$|\.RRK$|\.encryptedRSA$|\.crjoker$|\.EnCiPhErEd$|\.LeChiffre$|\.keybtc@inbox_com$|\.0x0$|\.bleep$|\.1999$|\.vault$|\.HA3$|\.toxcrypt$|\.magic$|\.SUPERCRYPT$|\.CTBL$|\.CTB2$|\.locky$|\.wnry$|\.wcry$|\.wncry$|\.wncryt$|\.uiwix$)
62 # Known ransomware files regex
63 __known_ransom_files_re=(HELPDECRYPT\.TXT$|HELP_YOUR_FILES\.TXT$|HELP_TO_DECRYPT_YOUR_FILES\.txt$|RECOVERY_KEY\.txt$|HELP_RESTORE_FILES\.txt$|HELP_RECOVER_FILES\.txt$|HELP_TO_SAVE_FILES\.txt$|DecryptAllFiles\.txt$|DECRYPT_INSTRUCTIONS\.TXT$|INSTRUCCIONES_DESCIFRADO\.TXT$|How_To_Recover_Files\.txt$|YOUR_FILES\.HTML$|YOUR_FILES\.url$|Help_Decrypt\.txt$|DECRYPT_INSTRUCTION\.TXT$|HOW_TO_DECRYPT_FILES\.TXT$|ReadDecryptFilesHere\.txt$|Coin\.Locker\.txt$|_secret_code\.txt$|About_Files\.txt$|Read\.txt$|ReadMe\.txt$|DECRYPT_ReadMe\.TXT$|DecryptAllFiles\.txt$|FILESAREGONE\.TXT$|IAMREADYTOPAY\.TXT$|HELLOTHERE\.TXT$|READTHISNOW\!\!\!\.TXT$|SECRETIDHERE\.KEY$|IHAVEYOURSECRET\.KEY$|SECRET\.KEY$|HELPDECYPRT_YOUR_FILES\.HTML$|help_decrypt_your_files\.html$|HELP_TO_SAVE_FILES\.txt$|RECOVERY_FILES\.txt$|RECOVERY_FILE\.TXT$|RECOVERY_FILE.*\.txt$|HowtoRESTORE_FILES\.txt$|HowtoRestore_FILES\.txt$|howto_recover_file\.txt$|restorefiles\.txt$|howrecover\+.*\.txt$|_how_recover\.txt$|recoveryfile.*\.txt$|recoverfile.*\.txt$|recoveryfile.*\.txt$|Howto_Restore_FILES\.TXT$|help_recover_instructions\+.*\.txt$|_Locky_recover_instructions\.txt$)
64
65 # Match on known ransomware regex or generic honeypot
66 failregex = smbd.*:\ IP=<HOST>\ .*%(__honeypot_files_re)s
67 smbd.*:\ IP=<HOST>\ .*%(__known_ransom_extensions_re)s
68 smbd.*:\ IP=<HOST>\ .*%(__known_ransom_files_re)s
69
70 # Filter generously provided by https://github.com/CanaryTek/ransomware-samba-tools
71 # Provided under GPL3
72 '';
73 };
74}