{ config, lib, pkgs, ... }: with lib; let cfg = config.services.sshguard; configFile = let args = lib.concatStringsSep " " ([ "-afb" "-p info" "-o cat" "-n1" ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset"; in pkgs.writeText "sshguard.conf" '' BACKEND="${pkgs.sshguard}/libexec/${backend}" LOGREADER="LANG=C ${config.systemd.package}/bin/journalctl ${args}" ''; in { ###### interface options = { services.sshguard = { enable = mkOption { default = false; type = types.bool; description = "Whether to enable the sshguard service."; }; attack_threshold = mkOption { default = 30; type = types.int; description = '' Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10. ''; }; blacklist_threshold = mkOption { default = null; example = 120; type = types.nullOr types.int; description = '' Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. ''; }; blacklist_file = mkOption { default = "/var/lib/sshguard/blacklist.db"; type = types.path; description = '' Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. ''; }; blocktime = mkOption { default = 120; type = types.int; description = '' Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5. sshguard unblocks attacks at random intervals, so actual block times will be longer. ''; }; detection_time = mkOption { default = 1800; type = types.int; description = '' Remember potential attackers for up to detection_time seconds before resetting their score. ''; }; whitelist = mkOption { default = [ ]; example = [ "198.51.100.56" "198.51.100.2" ]; type = types.listOf types.str; description = '' Whitelist a list of addresses, hostnames, or address blocks. ''; }; services = mkOption { default = [ "sshd" ]; example = [ "sshd" "exim" ]; type = types.listOf types.str; description = '' Systemd services sshguard should receive logs of. ''; }; }; }; ###### implementation config = mkIf cfg.enable { environment.etc."sshguard.conf".source = configFile; systemd.services.sshguard = { description = "SSHGuard brute-force attacks protection system"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ configFile ]; path = with pkgs; if config.networking.nftables.enable then [ nftables iproute2 systemd ] else [ iptables ipset iproute2 systemd ]; # The sshguard ipsets must exist before we invoke # iptables. sshguard creates the ipsets after startup if # necessary, but if we let sshguard do it, we can't reliably add # the iptables rules because postStart races with the creation # of the ipsets. So instead, we create both the ipsets and # firewall rules before sshguard starts. preStart = optionalString config.networking.firewall.enable '' ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP '' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ''; postStop = optionalString config.networking.firewall.enable '' ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 '' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 ''; unitConfig.Documentation = "man:sshguard(8)"; serviceConfig = { Type = "simple"; ExecStart = let args = lib.concatStringsSep " " ([ "-a ${toString cfg.attack_threshold}" "-p ${toString cfg.blocktime}" "-s ${toString cfg.detection_time}" (optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}") ] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)); in "${pkgs.sshguard}/bin/sshguard ${args}"; Restart = "always"; ProtectSystem = "strict"; ProtectHome = "tmpfs"; RuntimeDirectory = "sshguard"; StateDirectory = "sshguard"; CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; }; }; }; }