summary refs log tree commit diff
path: root/nixos/modules/services/security/fail2ban.nix
diff options
context:
space:
mode:
authorNiklas Hambüchen <mail@nh2.me>2020-10-11 17:27:49 +0200
committerNiklas Hambüchen <mail@nh2.me>2021-06-23 01:49:11 +0200
commita48fea4c5e53bace66f1730877e7b16178e5f7ea (patch)
treedf749ba911207d0b70ea183832c03657d31eec22 /nixos/modules/services/security/fail2ban.nix
parentbb8c2116dd2d03775c96e0695bfbace7074308b4 (diff)
downloadnixpkgs-a48fea4c5e53bace66f1730877e7b16178e5f7ea.tar
nixpkgs-a48fea4c5e53bace66f1730877e7b16178e5f7ea.tar.gz
nixpkgs-a48fea4c5e53bace66f1730877e7b16178e5f7ea.tar.bz2
nixpkgs-a48fea4c5e53bace66f1730877e7b16178e5f7ea.tar.lz
nixpkgs-a48fea4c5e53bace66f1730877e7b16178e5f7ea.tar.xz
nixpkgs-a48fea4c5e53bace66f1730877e7b16178e5f7ea.tar.zst
nixpkgs-a48fea4c5e53bace66f1730877e7b16178e5f7ea.zip
sshd service: Default to INFO logLevel (upstream default).
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
https://github.com/openssh/openssh-portable/blob/6247812c76f70b2245f3c23f5074665b3d436cae/auth.c#L323-L328

Also update description to the wording of the sshd_config man page.

`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.

The docs are updated accordingly.
Diffstat (limited to 'nixos/modules/services/security/fail2ban.nix')
-rw-r--r--nixos/modules/services/security/fail2ban.nix19
1 files changed, 18 insertions, 1 deletions
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix
index 07702bfb9d0..499d3466750 100644
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@@ -45,7 +45,12 @@ in
       enable = mkOption {
         default = false;
         type = types.bool;
-        description = "Whether to enable the fail2ban service.";
+        description = ''
+          Whether to enable the fail2ban service.
+
+          See the documentation of <option>services.fail2ban.jails</option>
+          for what jails are enabled by default.
+        '';
       };
 
       package = mkOption {
@@ -221,6 +226,15 @@ in
           defined in <filename>/etc/fail2ban/action.d</filename>,
           while filters are defined in
           <filename>/etc/fail2ban/filter.d</filename>.
+
+          NixOS comes with a default <literal>sshd</literal> jail;
+          for it to work well,
+          <option>services.openssh.logLevel</option> should be set to
+          <literal>"VERBOSE"</literal> or higher so that fail2ban
+          can observe failed login attempts.
+          This module sets it to <literal>"VERBOSE"</literal> if
+          not set otherwise, so enabling fail2ban can make SSH logs
+          more verbose.
         '';
       };
 
@@ -313,6 +327,9 @@ in
       banaction_allports = ${cfg.banaction-allports}
     '';
     # Block SSH if there are too many failing connection attempts.
+    # Benefits from verbose sshd logging to observe failed login attempts,
+    # so we set that here unless the user overrode it.
+    services.openssh.logLevel = lib.mkDefault "VERBOSE";
     services.fail2ban.jails.sshd = mkDefault ''
       enabled = true
       port    = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-09 07:33:50 +0000