diff options
| author | Niklas Hambüchen <mail@nh2.me> | 2021-06-23 02:06:54 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-23 02:06:54 +0200 |
| commit | 959c4e82bc0972bae00f1501821812a7f27e1956 (patch) | |
| tree | 34d1ec1b05c841ffe560014530ebd4757ea267e2 /nixos/modules | |
| parent | 7e3d8fc66ba295cd2278fe231794c75710e86df5 (diff) | |
| parent | a48fea4c5e53bace66f1730877e7b16178e5f7ea (diff) | |
| download | nixpkgs-959c4e82bc0972bae00f1501821812a7f27e1956.tar nixpkgs-959c4e82bc0972bae00f1501821812a7f27e1956.tar.gz nixpkgs-959c4e82bc0972bae00f1501821812a7f27e1956.tar.bz2 nixpkgs-959c4e82bc0972bae00f1501821812a7f27e1956.tar.lz nixpkgs-959c4e82bc0972bae00f1501821812a7f27e1956.tar.xz nixpkgs-959c4e82bc0972bae00f1501821812a7f27e1956.tar.zst nixpkgs-959c4e82bc0972bae00f1501821812a7f27e1956.zip | |
Merge pull request #100255 from nh2/sshd-default-log-level-info
sshd service: Default to INFO logLevel (upstream default)
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 19 |
2 files changed, 20 insertions, 6 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 227dfe834b2..91caa2ccb42 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -351,15 +351,12 @@ in logLevel = mkOption { type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]; - default = "VERBOSE"; + default = "INFO"; # upstream default description = '' Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: - QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is VERBOSE. DEBUG and DEBUG1 + QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended. - - LogLevel VERBOSE logs user's key fingerprint on login. - Needed to have a clear audit track of which key was used to log in. ''; }; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 07702bfb9d0..499d3466750 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -45,7 +45,12 @@ in enable = mkOption { default = false; type = types.bool; - description = "Whether to enable the fail2ban service."; + description = '' + Whether to enable the fail2ban service. + + See the documentation of <option>services.fail2ban.jails</option> + for what jails are enabled by default. + ''; }; package = mkOption { @@ -221,6 +226,15 @@ in defined in <filename>/etc/fail2ban/action.d</filename>, while filters are defined in <filename>/etc/fail2ban/filter.d</filename>. + + NixOS comes with a default <literal>sshd</literal> jail; + for it to work well, + <option>services.openssh.logLevel</option> should be set to + <literal>"VERBOSE"</literal> or higher so that fail2ban + can observe failed login attempts. + This module sets it to <literal>"VERBOSE"</literal> if + not set otherwise, so enabling fail2ban can make SSH logs + more verbose. ''; }; @@ -313,6 +327,9 @@ in banaction_allports = ${cfg.banaction-allports} ''; # Block SSH if there are too many failing connection attempts. + # Benefits from verbose sshd logging to observe failed login attempts, + # so we set that here unless the user overrode it. + services.openssh.logLevel = lib.mkDefault "VERBOSE"; services.fail2ban.jails.sshd = mkDefault '' enabled = true port = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports} |