TheWanderingCrow/CrOS
1
0
Fork 0
mirror of https://github.com/TheWanderingCrow/CrOS.git synced 2026-01-11 17:54:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

logging and ddos protection

Browse source
This commit is contained in:
TheWanderingCrow 2025-08-22 22:52:35 -04:00
parent b60067d31e
commit 9aca33af0a
4 changed files with 106 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

23
modules/services/fail2ban/default.nix
View file

@ -9,33 +9,36 @@
"fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
norestored = true # Needed to avoid receiving a new notification after every restart
actionban = curl -H "Title: <ip> has been banned" -d "<name> jail has banned <ip> from accessing ${config.hostSpec.hostName} after <failures> attempts of hacking the system." https://notify.wanderingcrow.net/Fail2banNotifications
actionban = curl -H "Title: <ip> has been banned" -d "<name> jail has banned <ip> from accessing ${config.hostSpec.hostName} after <failures> attempts of attacking the system." https://notify.wanderingcrow.net/Fail2banNotifications
'');
# Defines a filter that detects URL probing by reading the Nginx access log
"fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
"fail2ban/filter.d/nginx-ddos-protect.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ^<HOST>.*(GET /(admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
failregex = ^<HOST> - - \[.*\] "GET .* HTTP/.*" \d{3} \d+ "-" "ApacheBench/.+"
limiting requests, excess:.* by zone.*client: <HOST>
^.*\[error\]\s+\d+#\d+:\s+\*\d+\s+connect\(\) to unix:.*failed.*while connecting to upstream,\s+client:\s+<HOST>,\s+server:.*
^.*\[error\]\s+\d+#\d+:\s+\*\d+\s+upstream prematurely closed connection while reading response header from upstream,\s+client:\s+<HOST>,.*$
ignoreregex =
'');
};
services.fail2ban = {
enable = false;
enable = true;
extraPackages = [
pkgs.curl
];
ignoreIP = [
inputs.nix-secrets.network.primary.publicIP
"64.189.142.0/23"
];
jails = {
nginx-url-probe.settings = {
nginx-ddos-protect.settings = {
enabled = true;
filter = "nginx-url-probe";
logpath = "/var/log/nginx/access.log";
filter = "nginx-ddos-protect";
logpath = "/var/log/nginx/*.log";
action = '' %(action_)s[blocktype=DROP]
ntfy'';
backend = "auto"; # Do not forget to specify this if your jail uses a log file
maxretry = 5;
findtime = 600;
maxretry = 1;
findtime = 3600;
};
};
};