diff options
Diffstat (limited to 'nixos/modules/services/security/fail2ban.nix')
-rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 48 |
1 files changed, 24 insertions, 24 deletions
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 67e1026dcef..24c84151bc7 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -45,10 +45,10 @@ in enable = mkOption { default = false; type = types.bool; - description = '' + description = lib.mdDoc '' Whether to enable the fail2ban service. - See the documentation of <option>services.fail2ban.jails</option> + See the documentation of {option}`services.fail2ban.jails` for what jails are enabled by default. ''; }; @@ -58,7 +58,7 @@ in defaultText = literalExpression "pkgs.fail2ban"; type = types.package; example = literalExpression "pkgs.fail2ban_0_11"; - description = "The fail2ban package to use for running the fail2ban service."; + description = lib.mdDoc "The fail2ban package to use for running the fail2ban service."; }; packageFirewall = mkOption { @@ -66,7 +66,7 @@ in defaultText = literalExpression "pkgs.iptables"; type = types.package; example = literalExpression "pkgs.nftables"; - description = "The firewall package used by fail2ban service."; + description = lib.mdDoc "The firewall package used by fail2ban service."; }; extraPackages = mkOption { @@ -82,14 +82,14 @@ in maxretry = mkOption { default = 3; type = types.ints.unsigned; - description = "Number of failures before a host gets banned."; + description = lib.mdDoc "Number of failures before a host gets banned."; }; banaction = mkOption { default = "iptables-multiport"; type = types.str; example = "nftables-multiport"; - description = '' + description = lib.mdDoc '' Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) It is used to define action_* variables. Can be overridden globally or per section within jail.local file @@ -100,7 +100,7 @@ in default = "iptables-allport"; type = types.str; example = "nftables-allport"; - description = '' + description = lib.mdDoc '' Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) It is used to define action_* variables. Can be overridden globally or per section within jail.local file @@ -110,7 +110,7 @@ in bantime-increment.enable = mkOption { default = false; type = types.bool; - description = '' + description = lib.mdDoc '' Allows to use database for searching of previously banned ip's to increase a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... ''; @@ -120,7 +120,7 @@ in default = "4m"; type = types.str; example = "8m"; - description = '' + description = lib.mdDoc '' "bantime-increment.rndtime" is the max number of seconds using for mixing with random time to prevent "clever" botnets calculate exact time IP can be unbanned again ''; @@ -130,7 +130,7 @@ in default = "10h"; type = types.str; example = "48h"; - description = '' + description = lib.mdDoc '' "bantime-increment.maxtime" is the max number of seconds using the ban time can reach (don't grows further) ''; }; @@ -139,7 +139,7 @@ in default = "1"; type = types.str; example = "4"; - description = '' + description = lib.mdDoc '' "bantime-increment.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, default value of factor is 1 and with default value of formula, the ban time grows by 1, 2, 4, 8, 16 ... ''; @@ -149,7 +149,7 @@ in default = "ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor"; type = types.str; example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; - description = '' + description = lib.mdDoc '' "bantime-increment.formula" used by default to calculate next value of ban time, default value bellow, the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... ''; @@ -159,7 +159,7 @@ in default = "1 2 4 8 16 32 64"; type = types.str; example = "2 4 16 128"; - description = '' + description = lib.mdDoc '' "bantime-increment.multipliers" used to calculate next value of ban time instead of formula, coresponding previously ban count and given "bantime.factor" (for multipliers default is 1); following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, @@ -171,7 +171,7 @@ in default = false; type = types.bool; example = true; - description = '' + description = lib.mdDoc '' "bantime-increment.overalljails" (if true) specifies the search of IP in the database will be executed cross over all jails, if false (dafault), only current jail of the ban IP will be searched ''; @@ -181,7 +181,7 @@ in default = [ ]; type = types.listOf types.str; example = [ "192.168.0.0/16" "2001:DB8::42" ]; - description = '' + description = lib.mdDoc '' "ignoreIP" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using space (and/or comma) separator. ''; @@ -196,7 +196,7 @@ in dbfile = /var/lib/fail2ban/fail2ban.sqlite3 ''; type = types.lines; - description = '' + description = lib.mdDoc '' The contents of Fail2ban's main configuration file. It's generally not necessary to change it. ''; @@ -219,22 +219,22 @@ in } ''; type = types.attrsOf types.lines; - description = '' + description = lib.mdDoc '' The configuration of each Fail2ban “jail”. A jail consists of an action (such as blocking a port using - <command>iptables</command>) that is triggered when a + {command}`iptables`) that is triggered when a filter applied to a log file triggers more than a certain number of times in a certain time period. Actions are - defined in <filename>/etc/fail2ban/action.d</filename>, + defined in {file}`/etc/fail2ban/action.d`, while filters are defined in - <filename>/etc/fail2ban/filter.d</filename>. + {file}`/etc/fail2ban/filter.d`. - NixOS comes with a default <literal>sshd</literal> jail; + NixOS comes with a default `sshd` jail; for it to work well, - <option>services.openssh.logLevel</option> should be set to - <literal>"VERBOSE"</literal> or higher so that fail2ban + {option}`services.openssh.logLevel` should be set to + `"VERBOSE"` or higher so that fail2ban can observe failed login attempts. - This module sets it to <literal>"VERBOSE"</literal> if + This module sets it to `"VERBOSE"` if not set otherwise, so enabling fail2ban can make SSH logs more verbose. ''; |