movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-19 16:40:32 +03:00
Code Activity
nixpkgs/nixos/modules/services/security/sshguard.nix
Silvan Mosberger d9d87c5196 treewide: format all inactive Nix files 
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.

Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.

A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.

This commit was automatically created and can be verified using

    nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \
      --argstr baseRev 0128fbb0a5
    result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:29:24 +01:00

199 lines
5.7 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.services.sshguard;
configFile =
let
args = lib.concatStringsSep " " (
[
"-afb"
"-p info"
"-o cat"
"-n1"
]
++ (map (name: "-t ${escapeShellArg name}") cfg.services)
);
backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset";
in
pkgs.writeText "sshguard.conf" ''
BACKEND="${pkgs.sshguard}/libexec/${backend}"
LOGREADER="LANG=C ${config.systemd.package}/bin/journalctl ${args}"
'';
in
{
###### interface
options = {
services.sshguard = {
enable = mkOption {
default = false;
type = types.bool;
description = "Whether to enable the sshguard service.";
};
attack_threshold = mkOption {
default = 30;
type = types.int;
description = ''
Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.
'';
};
blacklist_threshold = mkOption {
default = null;
example = 120;
type = types.nullOr types.int;
description = ''
Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
'';
};
blacklist_file = mkOption {
default = "/var/lib/sshguard/blacklist.db";
type = types.path;
description = ''
Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
'';
};
blocktime = mkOption {
default = 120;
type = types.int;
description = ''
Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.
sshguard unblocks attacks at random intervals, so actual block times will be longer.
'';
};
detection_time = mkOption {
default = 1800;
type = types.int;
description = ''
Remember potential attackers for up to detection_time seconds before resetting their score.
'';
};
whitelist = mkOption {
default = [ ];
example = [
"198.51.100.56"
"198.51.100.2"
];
type = types.listOf types.str;
description = ''
Whitelist a list of addresses, hostnames, or address blocks.
'';
};
services = mkOption {
default = [ "sshd" ];
example = [
"sshd"
"exim"
];
type = types.listOf types.str;
description = ''
Systemd services sshguard should receive logs of.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.etc."sshguard.conf".source = configFile;
systemd.services.sshguard = {
description = "SSHGuard brute-force attacks protection system";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
partOf = optional config.networking.firewall.enable "firewall.service";
restartTriggers = [ configFile ];
path =
with pkgs;
if config.networking.nftables.enable then
[
nftables
iproute2
systemd
]
else
[
iptables
ipset
iproute2
systemd
];
# The sshguard ipsets must exist before we invoke
# iptables. sshguard creates the ipsets after startup if
# necessary, but if we let sshguard do it, we can't reliably add
# the iptables rules because postStart races with the creation
# of the ipsets. So instead, we create both the ipsets and
# firewall rules before sshguard starts.
preStart =
optionalString config.networking.firewall.enable ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
''
+ optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
'';
postStop =
optionalString config.networking.firewall.enable ''
${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
''
+ optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
'';
unitConfig.Documentation = "man:sshguard(8)";
serviceConfig = {
Type = "simple";
ExecStart =
let
args = lib.concatStringsSep " " (
[
"-a ${toString cfg.attack_threshold}"
"-p ${toString cfg.blocktime}"
"-s ${toString cfg.detection_time}"
(optionalString (
cfg.blacklist_threshold != null
) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")
]
++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)
);
in
"${pkgs.sshguard}/bin/sshguard ${args}";
Restart = "always";
ProtectSystem = "strict";
ProtectHome = "tmpfs";
RuntimeDirectory = "sshguard";
StateDirectory = "sshguard";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
};
};
};
}
View git blame Copy permalink