fail2ban: disable tor lists

some people have legimitate interest in accessing our services via tor
in case of abuse out of these networks this commit can be reverted
This commit is contained in:
Rouven Seifert 2023-11-02 22:50:23 +01:00
parent a9d4543da7
commit 85e6ebbc29
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09

View file

@ -11,11 +11,6 @@
}; };
jails = { jails = {
tor = ''
enabled = true
bantime = 25h
action = nftables-allports
'';
dovecot = '' dovecot = ''
enabled = true enabled = true
# aggressive mode to add blocking for aborted connections # aggressive mode to add blocking for aborted connections
@ -29,30 +24,4 @@
''; '';
}; };
}; };
environment.etc = {
# dummy filter
"fail2ban/filter.d/tor.conf".text = ''
[Definition]
failregex =
ignoreregex =
'';
};
systemd.services."fail2ban-tor" = {
script = ''
${lib.getExe pkgs.curl} -fsSL "https://check.torproject.org/torbulkexitlist" | sed '/^#/d' | while read IP; do
${config.services.fail2ban.package}/bin/fail2ban-client set "tor" banip "$IP" > /dev/null
done
'';
};
systemd.timers."fail2ban-tor" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
Unit = "fail2ban-tor.service";
};
};
} }