44 lines
1.1 KiB
Nix
44 lines
1.1 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
services.openssh = {
|
|
enable = true;
|
|
ports = [ 22 ];
|
|
settings = {
|
|
AllowUsers = [ "wieerwill" ];
|
|
X11Forwarding = false;
|
|
PasswordAuthentication = false;
|
|
PermitRootLogin = "prohibit-password";
|
|
KbdInteractiveAuthentication = false;
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
22 # SSH
|
|
80 # HTTP
|
|
443 # HTTPS
|
|
22000 # Syncthing
|
|
9050 # Tor SOCKS
|
|
9051 # Tor Control
|
|
5353 # Tor DNS (if using virtual DNS)
|
|
];
|
|
allowedUDPPorts = [ ];
|
|
};
|
|
|
|
services.fail2ban = {
|
|
enable = true;
|
|
maxretry = 3; # Ban IP after 3 failures
|
|
bantime = "24h"; # Ban IPs for one day on the first ban
|
|
bantime-increment = {
|
|
enable = true; # increment of bantime after each violation
|
|
#formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
|
|
multipliers = "1 2 4 8 16 32 64";
|
|
maxtime = "168h"; # Do not ban for more than 1 week
|
|
overalljails = true; # bantime based on all violations
|
|
};
|
|
};
|
|
|
|
}
|