From f45dc51a331a24f0c1f7fc08a5f1600cd1766e14 Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.me>
Date: Tue, 3 Sep 2024 17:10:51 -0700
Subject: harden ssh

---
 modules/services/fail2ban.nix | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'modules/services/fail2ban.nix')

diff --git a/modules/services/fail2ban.nix b/modules/services/fail2ban.nix
index d768eb6..fa45565 100644
--- a/modules/services/fail2ban.nix
+++ b/modules/services/fail2ban.nix
@@ -1,3 +1,4 @@
+{ lib, config, ... }:
 {
   services.fail2ban = {
     enable = false;
@@ -7,5 +8,11 @@
       "172.16.0.0/12"
       "192.168.0.0/16"
     ];
+
+    jails.sshd.settings = {
+      enabled = true;
+      filter = "sshd[mode=aggressive]";
+      port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports);
+    };
   };
 }
-- 
cgit v1.2.3