flyingcircusio · ctheune · Nov 1, 2024 · Oct 30, 2024
diff --git a/changelog.d/20241031_142143_PL-132477-dheat-ssh_scriv.md b/changelog.d/20241031_142143_PL-132477-dheat-ssh_scriv.md
@@ -0,0 +1,22 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+### Impact
+
+- Activate DDoS SSH rules in fail2ban for non-production machines
+
+### NixOS XX.XX platform
+
+- Activate DDoS SSH rules in fail2ban for non-production machines. (PL-132477)
+  This may have impact if you have multiple unauthenticated SSH connections in a short time.
+  We will roll out this change to production VMs too if no problems occur.
diff --git a/doc/src/firewall.md b/doc/src/firewall.md
@@ -114,3 +114,10 @@ ip6tables -L -nv   # show IPv6 firewall rules w/o DNS resolution
 
 If the intended rules do not show up, check the system journal for possible
 syntax errors in {file}`/etc/local/firewall` and re-run {command}`fc-manage -b`.
+
+## Fail2ban
+
+We use fail2ban to protect against brute-force attacks and DoS vectors via unauthenticated connections.
+
+Currently we only have the SSH jail enabled in the `ddos` mode. If you have 5 authentication failures
+or trigger the DDoS rules within 10 minutes, your IP will be blocked for 10 minutes.
diff --git a/nixos/platform/default.nix b/nixos/platform/default.nix
@@ -377,22 +377,28 @@ in {
       # overrides it
       cron.enable = fclib.mkPlatform true;
 
-      fail2ban.enable = fclib.mkPlatform true;
-      fail2ban.ignoreIP =
-        [
-          # loopback
-          "127.0.0.1/8"
-          "::1"
-
-          # rfc1918 addresses
-          "10.0.0.0/8"
-          "172.16.0.0/12"
-          "192.168.0.0/16"
-        ] ++
-        cfg.static.firewall.trusted ++
-        (flatten
-          (builtins.map (v: builtins.attrNames v.networks)
-            (builtins.attrValues (attrByPath [ "parameters" "interfaces" ] {} cfg.enc))));
+      fail2ban = let
+        production = lib.attrByPath [ "parameters" "production" ] false config.flyingcircus.enc;
+      in {
+        enable = fclib.mkPlatform true;
+        maxretry = fclib.mkPlatform 5;
+        jails.sshd.settings.mode = lib.mkIf production (fclib.mkPlatform "ddos");
+        ignoreIP =
+          [
+            # loopback
+            "127.0.0.1/8"
+            "::1"
+
+            # rfc1918 addresses
+            "10.0.0.0/8"
+            "172.16.0.0/12"
+            "192.168.0.0/16"
+          ] ++
+          cfg.static.firewall.trusted ++
+          (flatten
+            (builtins.map (v: builtins.attrNames v.networks)
+              (builtins.attrValues (attrByPath [ "parameters" "interfaces" ] {} cfg.enc))));
+      };
 
       nscd.enable = true;
       openssh.enable = fclib.mkPlatform true;