From 3d4dc62dc9d0dac4dc936d2a2a4fa08b3f86bc73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= <vili.m.sinerva@gmail.com>
Date: Fri, 5 Jul 2024 16:12:27 +0300
Subject: [PATCH] Add fail2ban SSH protection

---
 base.nix | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/base.nix b/base.nix
index 15cb4b4..9cfd764 100644
--- a/base.nix
+++ b/base.nix
@@ -72,12 +72,31 @@
   '';
 
   #################### SSH configuration ####################
-  services.openssh.enable = true;
-  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+  };
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbGREoK1uVny1s8FK3KZ74Wmaf0VtifhqPyK69C/Gez vili@helium"
   ];
 
+  #################### Basic fail2ban configuration ####################
+  services.fail2ban = {
+    enable = true;
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      factor = "2";
+      formula = "ban.Time * (1 << (min(ban.Count, 6) * banFactor))";
+      maxtime = "90d";
+    };
+    jails = {
+      DEFAULT.settings = {
+        findtime = 3600;
+      };
+    };
+  };
+
   #################### BASE ####################
   nixpkgs.config.allowUnfree = true;
   networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.