nixpkgs/nixos/modules/services/security/sshguard.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.sshguard;

in {

  ###### interface

  options = {

    services.sshguard = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = "Whether to enable the sshguard service.";
      };

      attack_threshold = mkOption {
        default = 30;
        type = types.int;
        description = ''
            Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.
          '';
      };

      blacklist_threshold = mkOption {
        default = null;
        example = 120;
        type = types.nullOr types.int;
        description = ''
            Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
          '';
      };

      blacklist_file = mkOption {
        default = "/var/lib/sshguard/blacklist.db";
        type = types.path;
        description = ''
            Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
          '';
      };

      blocktime = mkOption {
        default = 120;
        type = types.int;
        description = ''
            Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.

            sshguard unblocks attacks at random intervals, so actual block times will be longer.
          '';
      };

      detection_time = mkOption {
        default = 1800;
        type = types.int;
        description = ''
            Remember potential attackers for up to detection_time seconds before resetting their score.
          '';
      };

      whitelist = mkOption {
        default = [ ];
        example = [ "198.51.100.56" "198.51.100.2" ];
        type = types.listOf types.str;
        description = ''
            Whitelist a list of addresses, hostnames, or address blocks.
          '';
      };

      services = mkOption {
        default = [ "sshd" ];
        example = [ "sshd" "exim" ];
        type = types.listOf types.str;
        description = ''
            Systemd services sshguard should receive logs of.
          '';
      };
    };
  };

  ###### implementation

  config = mkIf cfg.enable {

    environment.etc."sshguard.conf".text = let
      args = lib.concatStringsSep " " ([
        "-afb"
        "-p info"
        "-o cat"
        "-n1"
      ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services));
      backend = if config.networking.nftables.enable
        then "sshg-fw-nft-sets"
        else "sshg-fw-ipset";
    in ''
      BACKEND="${pkgs.sshguard}/libexec/${backend}"
      LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"
    '';

    systemd.services.sshguard = {
      description = "SSHGuard brute-force attacks protection system";

      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      partOf = optional config.networking.firewall.enable "firewall.service";

      path = with pkgs; if config.networking.nftables.enable
        then [ nftables iproute systemd ]
        else [ iptables ipset iproute systemd ];

      # The sshguard ipsets must exist before we invoke
      # iptables. sshguard creates the ipsets after startup if
      # necessary, but if we let sshguard do it, we can't reliably add
      # the iptables rules because postStart races with the creation
      # of the ipsets. So instead, we create both the ipsets and
      # firewall rules before sshguard starts.
      preStart = optionalString config.networking.firewall.enable ''
        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
        ${pkgs.iptables}/bin/iptables  -I INPUT -m set --match-set sshguard4 src -j DROP
        ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
      '';

      postStop = optionalString config.networking.firewall.enable ''
        ${pkgs.iptables}/bin/iptables  -D INPUT -m set --match-set sshguard4 src -j DROP
        ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
        ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
        ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
      '';

      unitConfig.Documentation = "man:sshguard(8)";

      serviceConfig = {
        Type = "simple";
        ExecStart = let
          args = lib.concatStringsSep " " ([
            "-a ${toString cfg.attack_threshold}"
            "-p ${toString cfg.blocktime}"
            "-s ${toString cfg.detection_time}"
            (optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")
          ] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist));
        in "${pkgs.sshguard}/bin/sshguard ${args}";
        Restart = "always";
        ProtectSystem = "strict";
        ProtectHome = "tmpfs";
        RuntimeDirectory = "sshguard";
        StateDirectory = "sshguard";
        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
      };
    };
  };
}
sshguard: new package 2017-03-07 15:50:33 +00:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.services.sshguard;`
nixos/sshguard: fix syslog ids, no more pid file, cleanups 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted. 2019-01-23 10:20:28 +00:00
sshguard: new package 2017-03-07 15:50:33 +00:00			`in {`

			`###### interface`

			`options = {`

			`services.sshguard = {`
			`enable = mkOption {`
			`default = false;`
			`type = types.bool;`
			`description = "Whether to enable the sshguard service.";`
			`};`

			`attack_threshold = mkOption {`
			`default = 30;`
			`type = types.int;`
			`description = ''`
			`Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.`
			`'';`
			`};`

			`blacklist_threshold = mkOption {`
			`default = null;`
			`example = 120;`
			`type = types.nullOr types.int;`
			`description = ''`
			`Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.`
			`'';`
			`};`

			`blacklist_file = mkOption {`
			`default = "/var/lib/sshguard/blacklist.db";`
			`type = types.path;`
			`description = ''`
			`Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.`
			`'';`
			`};`

			`blocktime = mkOption {`
			`default = 120;`
			`type = types.int;`
			`description = ''`
			`Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.`

			`sshguard unblocks attacks at random intervals, so actual block times will be longer.`
			`'';`
			`};`

			`detection_time = mkOption {`
			`default = 1800;`
			`type = types.int;`
			`description = ''`
			`Remember potential attackers for up to detection_time seconds before resetting their score.`
			`'';`
			`};`

			`whitelist = mkOption {`
			`default = [ ];`
			`example = [ "198.51.100.56" "198.51.100.2" ];`
			`type = types.listOf types.str;`
			`description = ''`
			`Whitelist a list of addresses, hostnames, or address blocks.`
			`'';`
			`};`

			`services = mkOption {`
			`default = [ "sshd" ];`
			`example = [ "sshd" "exim" ];`
			`type = types.listOf types.str;`
			`description = ''`
			`Systemd services sshguard should receive logs of.`
			`'';`
			`};`
			`};`
			`};`

			`###### implementation`

			`config = mkIf cfg.enable {`

sshguard: make it run 2017-09-28 06:05:09 +00:00			`environment.etc."sshguard.conf".text = let`
nixos/sshguard: fix syslog ids, no more pid file, cleanups 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted. 2019-01-23 10:20:28 +00:00			`args = lib.concatStringsSep " " ([`
			`"-afb"`
			`"-p info"`
			`"-o cat"`
			`"-n1"`
			`] ++ (map (name: "-t ${escapeShellArg name}") cfg.services));`
nixos/sshguard: use nftables backend if enabled The current module assumes use of iptables and breaks if nftables is used instead. This change configures the correct backend based on the config.networking.nftables.enable setting. 2019-09-30 18:20:25 +00:00			`backend = if config.networking.nftables.enable`
			`then "sshg-fw-nft-sets"`
			`else "sshg-fw-ipset";`
nixos/sshguard: fix syslog ids, no more pid file, cleanups 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted. 2019-01-23 10:20:28 +00:00			`in ''`
nixos/sshguard: use nftables backend if enabled The current module assumes use of iptables and breaks if nftables is used instead. This change configures the correct backend based on the config.networking.nftables.enable setting. 2019-09-30 18:20:25 +00:00			`BACKEND="${pkgs.sshguard}/libexec/${backend}"`
nixos/sshguard: fix syslog ids, no more pid file, cleanups 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted. 2019-01-23 10:20:28 +00:00			`LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"`
			`'';`

			`systemd.services.sshguard = {`
			`description = "SSHGuard brute-force attacks protection system";`

			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network.target" ];`
			`partOf = optional config.networking.firewall.enable "firewall.service";`

nixos/sshguard: use nftables backend if enabled The current module assumes use of iptables and breaks if nftables is used instead. This change configures the correct backend based on the config.networking.nftables.enable setting. 2019-09-30 18:20:25 +00:00			`path = with pkgs; if config.networking.nftables.enable`
			`then [ nftables iproute systemd ]`
			`else [ iptables ipset iproute systemd ];`
nixos/sshguard: fix syslog ids, no more pid file, cleanups 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted. 2019-01-23 10:20:28 +00:00
nixos/sshguard: create ipsets before starting, and clean up after stopping. The fix for #62874 introduced a race condition on startup: the postStart commands that configure the firewall run concurrently with sshguard's creation of the ipsets that the rules depend on. Unfortunately iptables fails hard when referencing an ipset that doesn't exist, so this causes non-deterministic crashlooping until sshguard wins the race. This change fixes that race condition by always creating the ipset and reconfiguring the firewall before starting sshguard, so that the order of operations is always deterministic. This change also cleans up the ipsets on sshguard shutdown, so that removing sshguard from a running system doesn't leave state behind. Fixes #65985. 2019-08-04 23:20:08 +00:00			`# The sshguard ipsets must exist before we invoke`
			`# iptables. sshguard creates the ipsets after startup if`
			`# necessary, but if we let sshguard do it, we can't reliably add`
			`# the iptables rules because postStart races with the creation`
			`# of the ipsets. So instead, we create both the ipsets and`
			`# firewall rules before sshguard starts.`
nixos/sshguard: use nftables backend if enabled The current module assumes use of iptables and breaks if nftables is used instead. This change configures the correct backend based on the config.networking.nftables.enable setting. 2019-09-30 18:20:25 +00:00			`preStart = optionalString config.networking.firewall.enable ''`
nixos/sshguard: create ipsets before starting, and clean up after stopping. The fix for #62874 introduced a race condition on startup: the postStart commands that configure the firewall run concurrently with sshguard's creation of the ipsets that the rules depend on. Unfortunately iptables fails hard when referencing an ipset that doesn't exist, so this causes non-deterministic crashlooping until sshguard wins the race. This change fixes that race condition by always creating the ipset and reconfiguring the firewall before starting sshguard, so that the order of operations is always deterministic. This change also cleans up the ipsets on sshguard shutdown, so that removing sshguard from a running system doesn't leave state behind. Fixes #65985. 2019-08-04 23:20:08 +00:00			`${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet`
			`${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6`
nixos/sshguard: fix syslog ids, no more pid file, cleanups 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted. 2019-01-23 10:20:28 +00:00			`${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP`
			`${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP`
			`'';`

nixos/sshguard: use nftables backend if enabled The current module assumes use of iptables and breaks if nftables is used instead. This change configures the correct backend based on the config.networking.nftables.enable setting. 2019-09-30 18:20:25 +00:00			`postStop = optionalString config.networking.firewall.enable ''`
nixos/sshguard: fix syslog ids, no more pid file, cleanups 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted. 2019-01-23 10:20:28 +00:00			`${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP`
			`${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP`
nixos/sshguard: create ipsets before starting, and clean up after stopping. The fix for #62874 introduced a race condition on startup: the postStart commands that configure the firewall run concurrently with sshguard's creation of the ipsets that the rules depend on. Unfortunately iptables fails hard when referencing an ipset that doesn't exist, so this causes non-deterministic crashlooping until sshguard wins the race. This change fixes that race condition by always creating the ipset and reconfiguring the firewall before starting sshguard, so that the order of operations is always deterministic. This change also cleans up the ipsets on sshguard shutdown, so that removing sshguard from a running system doesn't leave state behind. Fixes #65985. 2019-08-04 23:20:08 +00:00			`${pkgs.ipset}/bin/ipset -quiet destroy sshguard4`
			`${pkgs.ipset}/bin/ipset -quiet destroy sshguard6`
sshguard: new package 2017-03-07 15:50:33 +00:00			`'';`

nixos/sshguard: fix syslog ids, no more pid file, cleanups 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted. 2019-01-23 10:20:28 +00:00			`unitConfig.Documentation = "man:sshguard(8)";`

			`serviceConfig = {`
			`Type = "simple";`
			`ExecStart = let`
			`args = lib.concatStringsSep " " ([`
			`"-a ${toString cfg.attack_threshold}"`
			`"-p ${toString cfg.blocktime}"`
			`"-s ${toString cfg.detection_time}"`
			`(optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")`
			`] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist));`
			`in "${pkgs.sshguard}/bin/sshguard ${args}";`
			`Restart = "always";`
			`ProtectSystem = "strict";`
			`ProtectHome = "tmpfs";`
			`RuntimeDirectory = "sshguard";`
			`StateDirectory = "sshguard";`
			`CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";`
sshguard: new package 2017-03-07 15:50:33 +00:00			`};`
nixos/sshguard: fix syslog ids, no more pid file, cleanups 1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted. 2019-01-23 10:20:28 +00:00			`};`
sshguard: new package 2017-03-07 15:50:33 +00:00			`};`
			`}`