| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
https://github.com/openssh/openssh-portable/blob/6247812c76f70b2245f3c23f5074665b3d436cae/auth.c#L323-L328
Also update description to the wording of the sshd_config man page.
`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.
The docs are updated accordingly.
|
|
|
|
|
| |
This makes the service fail when upgrading the package, so let's
properly restart it instead.
|
|
|
|
|
|
|
|
|
|
| |
some ban actions need additional packages (eg ipset). since actions can be
provided by the user we need something general that's easy to configure.
we could also enable ipset regardless of the actual configuration of the system
if the iptables firewall is in use (like sshguard does), but that seems very
clumsy and wouldn't easily solve the binary-not-found problems other actions may
also have.
|
|
|
|
|
|
|
| |
it's not possible to set a different default maxretry value in the DEFAULT jail
because the module already does so. expose the maxretry option to the
configuration to remedy this. (we can't really remove it entirely because
fail2ban defaults to 5)
|
| |
|
|
|
|
| |
This commit should not change eval results
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Improvement to the ssh-iptables to block the port(s) actually defined
for sshd in config.services.openssh.ports
|
|
|
|
|
|
|
| |
iproute is required for blocking via null routes; without it, rules
based on routes.conf will fail.
Closes #15638
|
| |
|
| |
|
|
|
|
|
|
|
| |
With jails defaulting to 'enabled = true', the sshd jail that NixOS
defines will now be enabled.
[Bjørn: tweak commit message]
|
| |
|
|
|
|
|
|
| |
I'm not really sure which one of types.lines or types.str that fit
better, but I'm going for types.lines because it behaves more like the
current type (i.e. have the ability to merge).
|
|
|
|
|
|
| |
- upgrade fail2ban to 0.9
- override systemd to enable python support and include sqlite3 module
- make fail2ban enablable
|
|
|
|
|
|
|
|
| |
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
|
|
|
|
|
|
|
| |
Creating /run/fail2ban didn't work since it didn't have write
permission to /run. Now it does.
Reported by Thomas Bereknyei.
|
|
|
|
|
| |
Also fix random start failures due to a race between the fail2ban
server and the postStart script.
|
|
|