{ lib, pkgs, ... }: { environment.etc = { # Define an action that will trigger a Ntfy push notification upon the issue of every new ban "fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' [Definition] norestored = true # Needed to avoid receiving a new notification after every restart actionban = ${pkgs.coreutils}/bin/echo " has been banned: jail has banned from accessing $(hostname) after attempts of hacking the system." | /run/wrappers/bin/sendmail -i fail2ban@localhost.com ''); # Defines a filter that detects URL probing by reading the Nginx access log "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' [Definition] failregex = ^.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2}) ''); }; services.fail2ban = { enable = true; # Ban IP after 5 failures maxretry = 5; ignoreIP = [ # Whitelist some subnets "192.168.178.0/24" "91.99.0.169" "kylekrein.duckdns.org" ]; bantime = "24h"; # Ban IPs for one day on the first ban bantime-increment = { enable = true; # Enable increment of bantime after each violation #formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; multipliers = "1 2 4 8 16 32 64"; maxtime = "1680h"; # Do not ban for more than 10 weeks overalljails = true; # Calculate the bantime based on all the violations }; jails = { nginx-url-probe.settings = { enabled = true; filter = "nginx-url-probe"; logpath = "/var/log/nginx/access.log"; action = '' %(action_)s[blocktype=DROP] ntfy''; backend = "auto"; # Do not forget to specify this if your jail uses a log file maxretry = 5; findtime = 600; }; }; }; }