fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin

Replaces bare enable flag with a dedicated service module covering: - SSH brute force via journald - Nginx Proxy Manager auth failures via Docker log files - Jellyfin auth failures via journald Includes incremental ban times (up to 1 week) and LAN ignore rules. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
2026-04-06 08:21:23 +00:00 · 2026-04-06 08:21:23 +00:00 · 16363dc887
commit 16363dc887
parent f5bb08d7dd
3 changed files with 76 additions and 2 deletions
--- a/common.nix
+++ b/common.nix
@ -30,6 +30,7 @@
    ./services/bazarr.nix
    ./services/cloudflare-ddns.nix
    ./services/crowdsec.nix
    ./services/fail2ban.nix
  ];
  ### Make build time quicker
--- a/hosts/FredOS-Mediaserver.nix
+++ b/hosts/FredOS-Mediaserver.nix
@ -18,8 +18,6 @@
      yt-dlp
    ];
    services.fail2ban.enable = true;
    # Enable Docker
    virtualisation.docker.enable = true;
--- a/services/fail2ban.nix
+++ b/services/fail2ban.nix
@ -0,0 +1,75 @@
 { config, lib, pkgs, ... }:
 {
  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
    services.fail2ban = {
      enable = true;
      # Default ban settings (overridable per jail)
      maxretry = 5;
      bantime = "1h";
      # Progressively longer bans for repeat offenders, up to 1 week
      bantime-increment = {
        enable = true;
        multiplier = "1 2 4 8 16 32 64";
        maxtime = "168h";
        overalljails = true;
      };
      # Never ban local network traffic
      ignoreIP = [
        "127.0.0.1/8"
        "::1"
        "192.168.0.0/16"
        "10.0.0.0/8"
      ];
      jails = {
        # SSH brute force — uses built-in sshd filter via journald
        sshd = {
          settings = {
            enabled = true;
            filter = "sshd";
            maxretry = 5;
            bantime = "1h";
          };
        };
        # Nginx Proxy Manager — watches Docker-mounted log files
        # Catches repeated 401/403 responses (auth failures, bad requests)
        nginx-proxy-manager = {
          settings = {
            enabled = true;
            filter = "nginx-http-auth";
            logpath = "/home/fred/docker/nginx-proxy-manager/data/logs/*.log";
            maxretry = 10;
            bantime = "1h";
          };
        };
        # Jellyfin auth failures — uses journald backend
        jellyfin = {
          settings = {
            enabled = true;
            backend = "systemd";
            journalmatch = "_SYSTEMD_UNIT=jellyfin.service";
            maxretry = 5;
            bantime = "2h";
          };
        };
      };
    };
    # Custom Jellyfin filter — matches failed auth log lines from the journal
    environment.etc."fail2ban/filter.d/jellyfin.conf".text = ''
      [Definition]
      failregex = ^.*Authentication request for .* has been denied \(IP: "<HOST>"\).*$
                  ^.*Error processing request from remote IP Address <HOST>.*$
      ignoreregex =
    '';
  };
 }