diff options
author | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:33 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:57 +0000 |
commit | 9ff36293d1e428cd7bf03e8d4b03611b6d361c28 (patch) | |
tree | 1ab51a42b868c55b83f6ccdb80371b9888739dd9 /nixos/modules/services/security/sshguard.nix | |
parent | 1c4fcd0d4b0541e674ee56ace1053e23e562cc80 (diff) | |
parent | ddc3c396a51918043bb0faa6f676abd9562be62c (diff) | |
download | nixpkgs-archive.tar nixpkgs-archive.tar.gz nixpkgs-archive.tar.bz2 nixpkgs-archive.tar.lz nixpkgs-archive.tar.xz nixpkgs-archive.tar.zst nixpkgs-archive.zip |
Last good Nixpkgs for Weston+nouveau? archive
I came this commit hash to terwiz[m] on IRC, who is trying to figure out what the last version of Spectrum that worked on their NUC with Nvidia graphics is.
Diffstat (limited to 'nixos/modules/services/security/sshguard.nix')
-rw-r--r-- | nixos/modules/services/security/sshguard.nix | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix new file mode 100644 index 00000000000..53bd9efa5ac --- /dev/null +++ b/nixos/modules/services/security/sshguard.nix @@ -0,0 +1,161 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.sshguard; + + configFile = let + args = lib.concatStringsSep " " ([ + "-afb" + "-p info" + "-o cat" + "-n1" + ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); + backend = if config.networking.nftables.enable + then "sshg-fw-nft-sets" + else "sshg-fw-ipset"; + in pkgs.writeText "sshguard.conf" '' + BACKEND="${pkgs.sshguard}/libexec/${backend}" + LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" + ''; + +in { + + ###### interface + + options = { + + services.sshguard = { + enable = mkOption { + default = false; + type = types.bool; + description = "Whether to enable the sshguard service."; + }; + + attack_threshold = mkOption { + default = 30; + type = types.int; + description = '' + Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10. + ''; + }; + + blacklist_threshold = mkOption { + default = null; + example = 120; + type = types.nullOr types.int; + description = '' + Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. + ''; + }; + + blacklist_file = mkOption { + default = "/var/lib/sshguard/blacklist.db"; + type = types.path; + description = '' + Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. + ''; + }; + + blocktime = mkOption { + default = 120; + type = types.int; + description = '' + Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5. + + sshguard unblocks attacks at random intervals, so actual block times will be longer. + ''; + }; + + detection_time = mkOption { + default = 1800; + type = types.int; + description = '' + Remember potential attackers for up to detection_time seconds before resetting their score. + ''; + }; + + whitelist = mkOption { + default = [ ]; + example = [ "198.51.100.56" "198.51.100.2" ]; + type = types.listOf types.str; + description = '' + Whitelist a list of addresses, hostnames, or address blocks. + ''; + }; + + services = mkOption { + default = [ "sshd" ]; + example = [ "sshd" "exim" ]; + type = types.listOf types.str; + description = '' + Systemd services sshguard should receive logs of. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + environment.etc."sshguard.conf".source = configFile; + + systemd.services.sshguard = { + description = "SSHGuard brute-force attacks protection system"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; + + restartTriggers = [ configFile ]; + + path = with pkgs; if config.networking.nftables.enable + then [ nftables iproute2 systemd ] + else [ iptables ipset iproute2 systemd ]; + + # The sshguard ipsets must exist before we invoke + # iptables. sshguard creates the ipsets after startup if + # necessary, but if we let sshguard do it, we can't reliably add + # the iptables rules because postStart races with the creation + # of the ipsets. So instead, we create both the ipsets and + # firewall rules before sshguard starts. + preStart = optionalString config.networking.firewall.enable '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet + ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP + '' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 + ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP + ''; + + postStop = optionalString config.networking.firewall.enable '' + ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 + '' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' + ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 + ''; + + unitConfig.Documentation = "man:sshguard(8)"; + + serviceConfig = { + Type = "simple"; + ExecStart = let + args = lib.concatStringsSep " " ([ + "-a ${toString cfg.attack_threshold}" + "-p ${toString cfg.blocktime}" + "-s ${toString cfg.detection_time}" + (optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}") + ] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)); + in "${pkgs.sshguard}/bin/sshguard ${args}"; + Restart = "always"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + RuntimeDirectory = "sshguard"; + StateDirectory = "sshguard"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; + }; + }; + }; +} |