ljdsalkjdsalkj

2025-06-15 02:14:37 +02:00
parent ef3addd00f
commit 3aadbea0ec
4 changed files with 31 additions and 2 deletions
--- a/profiles/http/default.nix
+++ b/profiles/http/default.nix
@@ -86,7 +86,31 @@ in
      extraConfig = "return 444;";
    };

-    /** /
+    # https://wiki.nixos.org/wiki/Fail2ban
+    # Defines a filter that detects URL probing by reading the Nginx access log
+    /*--* /
+    environment.etc."fail2ban/filter.d/nginx-url-probe.local".text = lib.mkDefault (lib.mkAfter ''
+    [Definition]
+    failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
+    '');
+    services.fail2ban.enable = true;
+    services.fail2ban.jails = {
+      nginx-url-probe.settings = {
+        enabled = true;
+        filter = "nginx-url-probe";
+        logpath = "/var/log/nginx/access.log";
+        backend = "auto"; # Do not forget to specify this if your jail uses a log file
+        action = ''
+          %(action_)s[blocktype=DROP]
+          ntfy
+        '';
+        maxretry = 5;
+        findtime = 600;
+      };
+    };
+    /**/
+
+    /*--* /
    services.nginx.virtualHosts."" = {
      default = true;
      forceSSL = false;
@@ -100,7 +124,7 @@ in

    # Website tunnel
    # TODO: remove
-    /** /
+    /*--* /
    services.nginx.virtualHosts.${config.networking.fqdn} = {
      forceSSL = true; # addSSL = true;
      enableACME = true;