diff options
| author | Devin Finlinson <devin.finlinson@pm.me> | 2025-11-21 22:35:08 -0700 |
|---|---|---|
| committer | Devin Finlinson <devin.finlinson@pm.me> | 2025-11-21 22:35:08 -0700 |
| commit | a68fc5cb0de2adbcabf81649436d902eadc052ca (patch) | |
| tree | 02cd1a717c6aa6d7b900b50e8ed769b339cd9ca6 | |
| parent | a94fbd21b8b362bca22ad13475f96cdf3d1fb3d7 (diff) | |
two changes: first, set up rsyslog and fail2ban to block router spam
(not yet working as fail2ban can't access ssh keys without permissions)
second, set up a port forward to doretta for minecraft servers
(seems to work first try)
| -rw-r--r-- | machines/biski/default.nix | 91 |
1 files changed, 89 insertions, 2 deletions
diff --git a/machines/biski/default.nix b/machines/biski/default.nix index 1255911..b05d289 100644 --- a/machines/biski/default.nix +++ b/machines/biski/default.nix @@ -34,6 +34,71 @@ }; security.pam.sshAgentAuth.enable = true; + services.rsyslogd = { + enable = true; + extraConfig = '' + $ModLoad imudp + $UDPServerRun 10514 + *.* /var/log/rsyslog-remote.log + ''; + }; + + environment.etc = { + "fail2ban/action.d/routeros.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Init] + + # SSH credentials to use to log into the router + user = FCWadmin + port = 2200 + pubkey = /etc/fail2ban/.id_routeros + + # SSH connection command + ssh = /run/current-system/sw/bin/ssh + cmd = <ssh> -i <pubkey> -p <port> <user>@64.77.244.138 + + # What to do on ban. + action = tarpit + chain = fail2ban + + # Command-shortening aliases + iff = /ip/firewall/filter + what = src-address="<ip>" chain="<chain>" + addwhat = <what> dst-port="<port>" proto="tcp" action="<action>" + + [Definition] + + actionban = <cmd> '<iff> add <addwhat> place-before=0' + actionunban = <cmd> '<iff> remove numbers=[find <what>]' + ''); + + # Defines a filter for Mikrotik login failures by reading rsyslog + "fail2ban/filter.d/routeros-rsyslog-sshd.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + _router = (<F-ROUTER>[a-zA-Z0-9.-]+</F-ROUTER>) + failregex = ^\s?<_router> .* login failure for user .* from <HOST> via ssh + ''); + }; + services.fail2ban = { + enable = true; + ignoreIP = [ + # Whitelist some subnets + "205.192.218.182/29" + "10.0.0.0/8" + ]; + jails = { + routeros-rsyslog-sshd.settings = { + enabled = true; + filter = "routeros-rsyslog-sshd"; + action = "routeros"; + logpath = "/var/log/rsyslog-remote.log"; + backend = "polling"; + ignoreself = true; + maxretry = 3; + findtime = 600; + }; + }; + }; + # Set your time zone. time.timeZone = "US/Mountain"; @@ -65,8 +130,30 @@ }; # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; + networking.firewall.allowedTCPPorts = [ 25565 ]; + networking.firewall.allowedUDPPorts = [ 10514 ]; + networking.nftables = { + enable = true; + ruleset = '' + table ip nat { + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + iifname "eno1" tcp dport 25565 dnat to 100.64.0.2:25565 + } + } + ''; + }; + networking.nat = { + enable = true; + internalInterfaces = [ "eno1" ]; + externalInterface = "tailscale0"; + forwardPorts = [{ + sourcePort = 25565; + proto = "tcp"; + destination = "100.64.0.2:25565"; + }]; + }; + # Or disable the firewall altogether. # networking.firewall.enable = false; |