networking and security updates

hosts/falkenstein/modules/fail2ban/default.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ lib, ... }:
 {
   services.fail2ban = {
     enable = true;
@@ -7,11 +7,15 @@
       enable = true;
     };
     jails = {
+      sshd = lib.mkForce ''
+        enabled = true
+        port = ssh
+        filter= sshd[mode=aggressive]
+      '';
       dovecot = ''
         enabled = true
         # aggressive mode add blocking for aborted connections
         filter = dovecot[mode=aggressive]
-        bantime = 10m
         maxretry = 3
       '';
       postfix = ''

hosts/falkenstein/modules/mail/default.nix

@@ -15,10 +15,9 @@ let
 in
 {
   networking.firewall.allowedTCPPorts = [
-    25 # insecure SMTP
-    465
-    587 # SMTP
-    993 # IMAP
+    25 # SMTP
+    465 # SUBMISSONS
+    993 # IMAPS
     4190 # sieve
   ];
   users.users.rouven = {