bebop: Enable fail2ban and move SSH config to separate host-module
fail2ban bans IP addresses from re-attempting SSH logins after 5 retries. Local network addresses are currently always allowed.
This commit is contained in:
parent
bccff2788a
commit
e5c98d80c2
3 changed files with 24 additions and 7 deletions
|
@ -96,6 +96,7 @@
|
|||
./hosts/bebop/syncthing.nix
|
||||
./hosts/bebop/navidrome.nix
|
||||
./hosts/bebop/pihole.nix
|
||||
./hosts/bebop/ssh.nix
|
||||
|
||||
# User-specific config : Home-manager
|
||||
home-manager.nixosModules.home-manager
|
||||
|
|
|
@ -51,13 +51,6 @@ in
|
|||
nix-direnv
|
||||
];
|
||||
|
||||
programs.ssh.startAgent = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "prohibit-password";
|
||||
passwordAuthentication = false;
|
||||
};
|
||||
|
||||
# Make sure dumb ssh-add is run on every interactive entry
|
||||
# Make no mistake, this is a hack. But until I find better solution, it works.
|
||||
programs.fish.interactiveShellInit = ''
|
||||
|
|
23
hosts/bebop/ssh.nix
Normal file
23
hosts/bebop/ssh.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
programs.ssh.startAgent = true;
|
||||
services = {
|
||||
openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "prohibit-password";
|
||||
passwordAuthentication = false;
|
||||
};
|
||||
|
||||
fail2ban = {
|
||||
enable = true;
|
||||
maxretry = 5;
|
||||
ignoreIP = [
|
||||
"127.0.0.0/8"
|
||||
"10.0.0.0/8"
|
||||
"172.16.0.0/12"
|
||||
"192.168.0.0/16"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
Reference in a new issue