From ebaf1511609da17dbc0bc3943db63cbbae7de62b Mon Sep 17 00:00:00 2001
From: Leona Maroni <lm@flyingcircus.io>
Date: Wed, 30 Oct 2024 12:20:48 +0100
Subject: [PATCH] Activate fail2ban sshd ddos jail for non production machines

PL-132477
---
 ...241031_142143_PL-132477-dheat-ssh_scriv.md | 22 +++++++++++
 doc/src/firewall.md                           |  7 ++++
 nixos/platform/default.nix                    | 38 +++++++++++--------
 3 files changed, 51 insertions(+), 16 deletions(-)
 create mode 100644 changelog.d/20241031_142143_PL-132477-dheat-ssh_scriv.md

diff --git a/changelog.d/20241031_142143_PL-132477-dheat-ssh_scriv.md b/changelog.d/20241031_142143_PL-132477-dheat-ssh_scriv.md
new file mode 100644
index 000000000..c7b624dcb
--- /dev/null
+++ b/changelog.d/20241031_142143_PL-132477-dheat-ssh_scriv.md
@@ -0,0 +1,22 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+### Impact
+
+- Activate DDoS SSH rules in fail2ban for non-production machines
+
+### NixOS XX.XX platform
+
+- Activate DDoS SSH rules in fail2ban for non-production machines. (PL-132477)
+  This may have impact if you have multiple unauthenticated SSH connections in a short time.
+  We will roll out this change to production VMs too if no problems occur.
diff --git a/doc/src/firewall.md b/doc/src/firewall.md
index c26156ef8..efe9db41b 100644
--- a/doc/src/firewall.md
+++ b/doc/src/firewall.md
@@ -114,3 +114,10 @@ ip6tables -L -nv   # show IPv6 firewall rules w/o DNS resolution
 
 If the intended rules do not show up, check the system journal for possible
 syntax errors in {file}`/etc/local/firewall` and re-run {command}`fc-manage -b`.
+
+## Fail2ban
+
+We use fail2ban to protect against brute-force attacks and DoS vectors via unauthenticated connections.
+
+Currently we only have the SSH jail enabled in the `ddos` mode. If you have 5 authentication failures
+or trigger the DDoS rules within 10 minutes, your IP will be blocked for 10 minutes.
diff --git a/nixos/platform/default.nix b/nixos/platform/default.nix
index 28c4262b6..71133a894 100644
--- a/nixos/platform/default.nix
+++ b/nixos/platform/default.nix
@@ -377,22 +377,28 @@ in {
       # overrides it
       cron.enable = fclib.mkPlatform true;
 
-      fail2ban.enable = fclib.mkPlatform true;
-      fail2ban.ignoreIP =
-        [
-          # loopback
-          "127.0.0.1/8"
-          "::1"
-
-          # rfc1918 addresses
-          "10.0.0.0/8"
-          "172.16.0.0/12"
-          "192.168.0.0/16"
-        ] ++
-        cfg.static.firewall.trusted ++
-        (flatten
-          (builtins.map (v: builtins.attrNames v.networks)
-            (builtins.attrValues (attrByPath [ "parameters" "interfaces" ] {} cfg.enc))));
+      fail2ban = let
+        production = lib.attrByPath [ "parameters" "production" ] false config.flyingcircus.enc;
+      in {
+        enable = fclib.mkPlatform true;
+        maxretry = fclib.mkPlatform 5;
+        jails.sshd.settings.mode = lib.mkIf production (fclib.mkPlatform "ddos");
+        ignoreIP =
+          [
+            # loopback
+            "127.0.0.1/8"
+            "::1"
+
+            # rfc1918 addresses
+            "10.0.0.0/8"
+            "172.16.0.0/12"
+            "192.168.0.0/16"
+          ] ++
+          cfg.static.firewall.trusted ++
+          (flatten
+            (builtins.map (v: builtins.attrNames v.networks)
+              (builtins.attrValues (attrByPath [ "parameters" "interfaces" ] {} cfg.enc))));
+      };
 
       nscd.enable = true;
       openssh.enable = fclib.mkPlatform true;