nixos/modules/services/security/sshguard.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.sshguard;

in {

  ###### interface

  options = {

    services.sshguard = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = "Whether to enable the sshguard service.";
      };

      attack_threshold = mkOption {
        default = 30;
        type = types.int;
        description = ''
            Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.
          '';
      };

      blacklist_threshold = mkOption {
        default = null;
        example = 120;
        type = types.nullOr types.int;
        description = ''
            Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
          '';
      };

      blacklist_file = mkOption {
        default = "/var/lib/sshguard/blacklist.db";
        type = types.path;
        description = ''
            Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
          '';
      };

      blocktime = mkOption {
        default = 120;
        type = types.int;
        description = ''
            Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.

            sshguard unblocks attacks at random intervals, so actual block times will be longer.
          '';
      };

      detection_time = mkOption {
        default = 1800;
        type = types.int;
        description = ''
            Remember potential attackers for up to detection_time seconds before resetting their score.
          '';
      };

      whitelist = mkOption {
        default = [ ];
        example = [ "198.51.100.56" "198.51.100.2" ];
        type = types.listOf types.str;
        description = ''
            Whitelist a list of addresses, hostnames, or address blocks.
          '';
      };

      services = mkOption {
        default = [ "sshd" ];
        example = [ "sshd" "exim" ];
        type = types.listOf types.str;
        description = ''
            Systemd services sshguard should receive logs of.
          '';
      };
    };
  };

  ###### implementation

  config = mkIf cfg.enable {

    environment.etc."sshguard.conf".text = let
      args = lib.concatStringsSep " " ([
        "-afb"
        "-p info"
        "-o cat"
        "-n1"
      ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services));
      backend = if config.networking.nftables.enable
        then "sshg-fw-nft-sets"
        else "sshg-fw-ipset";
    in ''
      BACKEND="${pkgs.sshguard}/libexec/${backend}"
      LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"
    '';

    systemd.services.sshguard = {
      description = "SSHGuard brute-force attacks protection system";

      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      partOf = optional config.networking.firewall.enable "firewall.service";

      path = with pkgs; if config.networking.nftables.enable
        then [ nftables iproute systemd ]
        else [ iptables ipset iproute systemd ];

      # The sshguard ipsets must exist before we invoke
      # iptables. sshguard creates the ipsets after startup if
      # necessary, but if we let sshguard do it, we can't reliably add
      # the iptables rules because postStart races with the creation
      # of the ipsets. So instead, we create both the ipsets and
      # firewall rules before sshguard starts.
      preStart = optionalString config.networking.firewall.enable ''
        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
        ${pkgs.iptables}/bin/iptables  -I INPUT -m set --match-set sshguard4 src -j DROP
        ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
      '';

      postStop = optionalString config.networking.firewall.enable ''
        ${pkgs.iptables}/bin/iptables  -D INPUT -m set --match-set sshguard4 src -j DROP
        ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
        ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
        ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
      '';

      unitConfig.Documentation = "man:sshguard(8)";

      serviceConfig = {
        Type = "simple";
        ExecStart = let
          args = lib.concatStringsSep " " ([
            "-a ${toString cfg.attack_threshold}"
            "-p ${toString cfg.blocktime}"
            "-s ${toString cfg.detection_time}"
            (optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")
          ] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist));
        in "${pkgs.sshguard}/bin/sshguard ${args}";
        Restart = "always";
        ProtectSystem = "strict";
        ProtectHome = "tmpfs";
        RuntimeDirectory = "sshguard";
        StateDirectory = "sshguard";
        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
      };
    };
  };
}