diff --git a/nixos/hosts/framework-server/fail2ban/traefik.nix b/nixos/hosts/framework-server/fail2ban/traefik.nix index 4b4d610d..e29bef86 100644 --- a/nixos/hosts/framework-server/fail2ban/traefik.nix +++ b/nixos/hosts/framework-server/fail2ban/traefik.nix @@ -8,7 +8,7 @@ traefik-general-forceful-browsing = { settings = { enabled = true; - filter = "traefik-general-forceful-browsingo"; + filter = "traefik-general-forceful-browsing"; action = ''action-ban-docker-forceful-browsing''; logpath = "/var/log/traefik/access.log"; backend = "auto"; @@ -35,5 +35,15 @@ # ignore common errors like missing media files or JS/CSS/TXT/ICO stuff ignoreregex = ^{"ClientAddr":".*","ClientHost":"","ClientPort":".*","ClientUsername":".*","DownstreamContentSize":.*,"DownstreamStatus":.*,"Duration":.*,"OriginContentSize":.*,"OriginDuration":.*,"OriginStatus":(405|404|403|402|401),"Overhead":.*,"RequestAddr":".*","RequestContentSize":.*,"RequestCount":.*,"RequestHost":".*","RequestMethod":".*","RequestPath":".*(\.png|\.txt|\.jpg|\.ico|\.js|\.css|\.ttf|\.woff|\.woff2)(/)*?","RequestPort":".*","RequestProtocol":".*","RequestScheme":".*","RetryAttempts":.*,.*"StartLocal":".*","StartUTC":".*","TLSCipher":".*","TLSVersion":".*","entryPointName":".*","level":".*","msg":".*",("request_User-Agent":".*",){0,1}?"time":".*"}$ ''); + + "fail2ban/action.d/action-ban-docker-forceful-browsing.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + + actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP + iptables -A INPUT -s -j DROP + + actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP + iptables -D INPUT -s -j DROP + ''); }; }