Skyler Grey | cf259f2 | 2023-05-01 21:34:36 +0000 | [diff] [blame^] | 1 | { config, ... }: { |
| 2 | services.fail2ban = { |
| 3 | enable = true; |
| 4 | jails = { |
| 5 | mailu-auth-fail = '' |
| 6 | enabled = true |
| 7 | backend = systemd |
| 8 | filter = mailu-auth-fail |
| 9 | bantime = 604800 |
| 10 | findtime = 600 |
| 11 | maxretry = 5 |
| 12 | ''; |
| 13 | mailu-auth-limit = '' |
| 14 | enabled = true |
| 15 | backend = systemd |
| 16 | filter = mailu-auth-limit |
| 17 | bantime = 604800 |
| 18 | findtime = 900 |
| 19 | maxretry = 15 |
| 20 | ''; |
| 21 | samba = '' |
| 22 | filter=samba-filter |
| 23 | enabled=true |
| 24 | logpath=/var/log/messages |
| 25 | maxretry=1 |
| 26 | findtime=600 |
| 27 | bantime=2592000 |
| 28 | ''; |
| 29 | }; |
| 30 | banaction-allports = "iptables-allports"; |
| 31 | banaction = config.services.fail2ban.banaction-allports; |
| 32 | }; |
| 33 | environment.etc = { |
| 34 | "fail2ban/filter.d/mailu-auth-fail.conf".text = '' |
| 35 | [Definition] |
| 36 | failregex = ^\s?\S+ mailu\-front\[\d+\]: \S+ \S+ \[info\] \d+#\d+: \*\d+ client login failed: \"AUTH not supported\" while in http auth state, client: <HOST>, server: |
| 37 | ignoreregex = |
| 38 | journalmatch = CONTAINER_TAG=mailu-front |
| 39 | ''; |
| 40 | |
| 41 | "fail2ban/filter.d/mailu-auth-limit.conf".text = '' |
| 42 | [Definition] |
| 43 | failregex = : Authentication attempt from <HOST> has been rate-limited\.$ |
| 44 | ignoreregex = |
| 45 | journalmatch = CONTAINER_TAG=mailu-admin |
| 46 | ''; |
| 47 | |
| 48 | "fail2ban/filter.d/samba-filter.conf".text = '' |
| 49 | [Definition] |
| 50 | # Honeypot file regex. The files in the honeypot folder MUST match this regex |
| 51 | __honeypot_files_re=(-sync-decrypted\.) |
| 52 | |
| 53 | # Known ransomware extensions regex |
| 54 | __known_ransom_extensions_re=(\.k$|\.encoderpass$|\.key$|\.ecc$|\.ezz$|\.exx$|\.zzz$|\.xyz$|\.aaa$|\.abc$|\.ccc$|\.vvv$|\.xxx$|\.ttt$|\.micro$|\.encrypted$|\.locked$|\.crypto$|_crypt$|\.crinf$|\.r5a$|\.xrtn$|\.XTBL$|\.crypt$|\.R16M01D05$|\.pzdc$|\.good$|\.LOL\!$|\.OMG\!$|\.RDM$|\.RRK$|\.encryptedRSA$|\.crjoker$|\.EnCiPhErEd$|\.LeChiffre$|\.keybtc@inbox_com$|\.0x0$|\.bleep$|\.1999$|\.vault$|\.HA3$|\.toxcrypt$|\.magic$|\.SUPERCRYPT$|\.CTBL$|\.CTB2$|\.locky$|\.wnry$|\.wcry$|\.wncry$|\.wncryt$|\.uiwix$) |
| 55 | # Known ransomware files regex |
| 56 | __known_ransom_files_re=(HELPDECRYPT\.TXT$|HELP_YOUR_FILES\.TXT$|HELP_TO_DECRYPT_YOUR_FILES\.txt$|RECOVERY_KEY\.txt$|HELP_RESTORE_FILES\.txt$|HELP_RECOVER_FILES\.txt$|HELP_TO_SAVE_FILES\.txt$|DecryptAllFiles\.txt$|DECRYPT_INSTRUCTIONS\.TXT$|INSTRUCCIONES_DESCIFRADO\.TXT$|How_To_Recover_Files\.txt$|YOUR_FILES\.HTML$|YOUR_FILES\.url$|Help_Decrypt\.txt$|DECRYPT_INSTRUCTION\.TXT$|HOW_TO_DECRYPT_FILES\.TXT$|ReadDecryptFilesHere\.txt$|Coin\.Locker\.txt$|_secret_code\.txt$|About_Files\.txt$|Read\.txt$|ReadMe\.txt$|DECRYPT_ReadMe\.TXT$|DecryptAllFiles\.txt$|FILESAREGONE\.TXT$|IAMREADYTOPAY\.TXT$|HELLOTHERE\.TXT$|READTHISNOW\!\!\!\.TXT$|SECRETIDHERE\.KEY$|IHAVEYOURSECRET\.KEY$|SECRET\.KEY$|HELPDECYPRT_YOUR_FILES\.HTML$|help_decrypt_your_files\.html$|HELP_TO_SAVE_FILES\.txt$|RECOVERY_FILES\.txt$|RECOVERY_FILE\.TXT$|RECOVERY_FILE.*\.txt$|HowtoRESTORE_FILES\.txt$|HowtoRestore_FILES\.txt$|howto_recover_file\.txt$|restorefiles\.txt$|howrecover\+.*\.txt$|_how_recover\.txt$|recoveryfile.*\.txt$|recoverfile.*\.txt$|recoveryfile.*\.txt$|Howto_Restore_FILES\.TXT$|help_recover_instructions\+.*\.txt$|_Locky_recover_instructions\.txt$) |
| 57 | |
| 58 | # Match on known ransomware regex or generic honeypot |
| 59 | failregex = smbd.*:\ IP=<HOST>\ .*%(__honeypot_files_re)s |
| 60 | smbd.*:\ IP=<HOST>\ .*%(__known_ransom_extensions_re)s |
| 61 | smbd.*:\ IP=<HOST>\ .*%(__known_ransom_files_re)s |
| 62 | |
| 63 | # Filter generously provided by https://github.com/CanaryTek/ransomware-samba-tools |
| 64 | # Provided under GPL3 |
| 65 | ''; |
| 66 | }; |
| 67 | } |