Author: eelco
Date: Thu May 17 02:51:24 2012
New Revision: 34149
URL: https://nixos.org/websvn/nix/?rev=34149&sc=1
Log:
* Basic module for fail2ban. Not configurable yet. It currently
blocks IP addresses if they make too many failed login attempts.
Added:
nixos/trunk/modules/services/security/fail2ban.nix
Modified:
nixos/trunk/modules/tasks/network-interfaces.nix
Added: nixos/trunk/modules/services/security/fail2ban.nix
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ nixos/trunk/modules/services/security/fail2ban.nix Thu May 17 02:51:24
2012 (r34149)
@@ -0,0 +1,88 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+
+ fail2banConf = pkgs.writeText "fail2ban.conf"
+ ''
+ [Definition]
+ loglevel = 3
+ logtarget = SYSLOG
+ socket = /var/run/fail2ban/fail2ban.sock
+ '';
+
+ jailConf = pkgs.writeText "jail.conf"
+ ''
+ [DEFAULT]
+ bantime = 120
+ findtime = 120
+ maxretry = 3
+ backend = auto
+
+ [ssh-iptables]
+ enabled = true
+ filter = sshd
+ action = iptables[name=SSH, port=ssh, protocol=tcp]
+ logpath = /var/log/warn
+ maxretry = 5
+ '';
+
+in
+
+{
+
+ ###### interface
+
+ options = {
+
+ };
+
+
+ ###### implementation
+
+ config = {
+
+ environment.systemPackages = [ pkgs.fail2ban ];
+
+ environment.etc =
+ [ { source = fail2banConf;
+ target = "fail2ban/fail2ban.conf";
+ }
+ { source = jailConf;
+ target = "fail2ban/jail.conf";
+ }
+ { source = "${pkgs.fail2ban}/etc/fail2ban/action.d";
+ target = "fail2ban/action.d";
+ }
+ { source = "${pkgs.fail2ban}/etc/fail2ban/filter.d";
+ target = "fail2ban/filter.d";
+ }
+ ];
+
+ jobs.fail2ban =
+ { description = "Fail2ban intrusion prevention system";
+
+ startOn = "started networking";
+
+ path = [ pkgs.fail2ban pkgs.iptables ];
+
+ preStart =
+ ''
+ # ${fail2banConf} ${jailConf}
+ mkdir -p /var/run/fail2ban -m 0755
+ '';
+
+ exec = "fail2ban-server -f";
+
+ postStart =
+ ''
+ fail2ban-client reload
+ '';
+
+ respawn = false;
+ };
+
+ };
+
+}
Modified: nixos/trunk/modules/tasks/network-interfaces.nix
==============================================================================
--- nixos/trunk/modules/tasks/network-interfaces.nix Wed May 16 22:58:49
2012 (r34148)
+++ nixos/trunk/modules/tasks/network-interfaces.nix Thu May 17 02:51:24
2012 (r34149)
@@ -274,7 +274,7 @@
jobs.networking = {
name = "networking";
- description = "all required interfaces are up";
+ description = "All required interfaces are up";
startOn = "started network-interfaces";
stopOn = "stopping network-interfaces";
task = true;
_______________________________________________
nix-commits mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-commits
