fail2ban: add jails for Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent
All services with openFirewall = true are now covered. The *arr suite shares a single filter since they use the same logging codebase. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
This commit is contained in:
Claude
parent
16363dc887
commit
4935d42e48
1 changed files with 82 additions and 5 deletions
|
|
@ -27,7 +27,7 @@
|
|||
|
||||
jails = {
|
||||
|
||||
# SSH brute force — uses built-in sshd filter via journald
|
||||
# SSH brute force — built-in sshd filter via journald
|
||||
sshd = {
|
||||
settings = {
|
||||
enabled = true;
|
||||
|
|
@ -37,8 +37,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Nginx Proxy Manager — watches Docker-mounted log files
|
||||
# Catches repeated 401/403 responses (auth failures, bad requests)
|
||||
# Nginx Proxy Manager — watches Docker-mounted log files for 401/403s
|
||||
nginx-proxy-manager = {
|
||||
settings = {
|
||||
enabled = true;
|
||||
|
|
@ -49,7 +48,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Jellyfin auth failures — uses journald backend
|
||||
# Jellyfin auth failures — journald
|
||||
jellyfin = {
|
||||
settings = {
|
||||
enabled = true;
|
||||
|
|
@ -60,10 +59,88 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Sonarr — log files at dataDir/logs/
|
||||
sonarr = {
|
||||
settings = {
|
||||
enabled = true;
|
||||
filter = "arr-apps";
|
||||
logpath = "/var/lib/sonarr/logs/*.txt";
|
||||
maxretry = 5;
|
||||
bantime = "1h";
|
||||
};
|
||||
};
|
||||
|
||||
# Radarr — log files at dataDir/logs/
|
||||
radarr = {
|
||||
settings = {
|
||||
enabled = true;
|
||||
filter = "arr-apps";
|
||||
logpath = "/var/lib/radarr/logs/*.txt";
|
||||
maxretry = 5;
|
||||
bantime = "1h";
|
||||
};
|
||||
};
|
||||
|
||||
# Prowlarr — log files at dataDir/logs/
|
||||
prowlarr = {
|
||||
settings = {
|
||||
enabled = true;
|
||||
filter = "arr-apps";
|
||||
logpath = "/var/lib/prowlarr/logs/*.txt";
|
||||
maxretry = 5;
|
||||
bantime = "1h";
|
||||
};
|
||||
};
|
||||
|
||||
# Bazarr — log files at dataDir/log/
|
||||
bazarr = {
|
||||
settings = {
|
||||
enabled = true;
|
||||
filter = "bazarr";
|
||||
logpath = "/var/lib/bazarr/log/*.txt";
|
||||
maxretry = 5;
|
||||
bantime = "1h";
|
||||
};
|
||||
};
|
||||
|
||||
# qBittorrent-nox — watches journald for web UI login failures
|
||||
qbittorrent = {
|
||||
settings = {
|
||||
enabled = true;
|
||||
filter = "qbittorrent";
|
||||
backend = "systemd";
|
||||
journalmatch = "_SYSTEMD_UNIT=qbittorrent-nox.service";
|
||||
maxretry = 5;
|
||||
bantime = "1h";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
# Custom Jellyfin filter — matches failed auth log lines from the journal
|
||||
# Shared filter for Sonarr, Radarr, Prowlarr — they all use the same *arr codebase
|
||||
environment.etc."fail2ban/filter.d/arr-apps.conf".text = ''
|
||||
[Definition]
|
||||
failregex = .*Auth-Failure ip <HOST>
|
||||
ignoreregex =
|
||||
'';
|
||||
|
||||
# Bazarr (Python/Flask) auth failure filter
|
||||
environment.etc."fail2ban/filter.d/bazarr.conf".text = ''
|
||||
[Definition]
|
||||
failregex = .*login attempt.*<HOST>
|
||||
.*unauthorized.*<HOST>
|
||||
ignoreregex =
|
||||
'';
|
||||
|
||||
# qBittorrent web UI login failure filter
|
||||
environment.etc."fail2ban/filter.d/qbittorrent.conf".text = ''
|
||||
[Definition]
|
||||
failregex = .*WebAPI login failure.*remote IP: <HOST>
|
||||
ignoreregex =
|
||||
'';
|
||||
|
||||
# Jellyfin filter
|
||||
environment.etc."fail2ban/filter.d/jellyfin.conf".text = ''
|
||||
[Definition]
|
||||
failregex = ^.*Authentication request for .* has been denied \(IP: "<HOST>"\).*$
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue