diff --git a/services/fail2ban.nix b/services/fail2ban.nix index c2d3057..56fc95f 100644 --- a/services/fail2ban.nix +++ b/services/fail2ban.nix @@ -27,7 +27,7 @@ jails = { - # SSH brute force — uses built-in sshd filter via journald + # SSH brute force — built-in sshd filter via journald sshd = { settings = { enabled = true; @@ -37,8 +37,7 @@ }; }; - # Nginx Proxy Manager — watches Docker-mounted log files - # Catches repeated 401/403 responses (auth failures, bad requests) + # Nginx Proxy Manager — watches Docker-mounted log files for 401/403s nginx-proxy-manager = { settings = { enabled = true; @@ -49,7 +48,7 @@ }; }; - # Jellyfin auth failures — uses journald backend + # Jellyfin auth failures — journald jellyfin = { settings = { enabled = true; @@ -60,10 +59,88 @@ }; }; + # Sonarr — log files at dataDir/logs/ + sonarr = { + settings = { + enabled = true; + filter = "arr-apps"; + logpath = "/var/lib/sonarr/logs/*.txt"; + maxretry = 5; + bantime = "1h"; + }; + }; + + # Radarr — log files at dataDir/logs/ + radarr = { + settings = { + enabled = true; + filter = "arr-apps"; + logpath = "/var/lib/radarr/logs/*.txt"; + maxretry = 5; + bantime = "1h"; + }; + }; + + # Prowlarr — log files at dataDir/logs/ + prowlarr = { + settings = { + enabled = true; + filter = "arr-apps"; + logpath = "/var/lib/prowlarr/logs/*.txt"; + maxretry = 5; + bantime = "1h"; + }; + }; + + # Bazarr — log files at dataDir/log/ + bazarr = { + settings = { + enabled = true; + filter = "bazarr"; + logpath = "/var/lib/bazarr/log/*.txt"; + maxretry = 5; + bantime = "1h"; + }; + }; + + # qBittorrent-nox — watches journald for web UI login failures + qbittorrent = { + settings = { + enabled = true; + filter = "qbittorrent"; + backend = "systemd"; + journalmatch = "_SYSTEMD_UNIT=qbittorrent-nox.service"; + maxretry = 5; + bantime = "1h"; + }; + }; + }; }; - # Custom Jellyfin filter — matches failed auth log lines from the journal + # Shared filter for Sonarr, Radarr, Prowlarr — they all use the same *arr codebase + environment.etc."fail2ban/filter.d/arr-apps.conf".text = '' + [Definition] + failregex = .*Auth-Failure ip + ignoreregex = + ''; + + # Bazarr (Python/Flask) auth failure filter + environment.etc."fail2ban/filter.d/bazarr.conf".text = '' + [Definition] + failregex = .*login attempt.* + .*unauthorized.* + ignoreregex = + ''; + + # qBittorrent web UI login failure filter + environment.etc."fail2ban/filter.d/qbittorrent.conf".text = '' + [Definition] + failregex = .*WebAPI login failure.*remote IP: + ignoreregex = + ''; + + # Jellyfin filter environment.etc."fail2ban/filter.d/jellyfin.conf".text = '' [Definition] failregex = ^.*Authentication request for .* has been denied \(IP: ""\).*$