Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fail2ban service: improve ssh jail #21131

Merged
merged 3 commits into from
Dec 14, 2016
Merged

Conversation

c0bw3b
Copy link
Contributor

@c0bw3b c0bw3b commented Dec 13, 2016

Motivation for this change

The default jail defined for sshd was blocking the port tcp/22 regardless of what is actually configured for the openssh daemon through config.services.openssh.ports

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Improvement to the ssh-iptables to block the port(s) actually defined
for sshd in config.services.openssh.ports
@mention-bot
Copy link

@c0bw3b, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @lihop and @groxxda to be potential reviewers.

@nlewo
Copy link
Member

nlewo commented Dec 14, 2016

@c0bw3b could you please rebase your commits (remove merges) ?
Otherwise, LGMT.
I tested with nixos-build-vms

{
  fail2ban = {pkgs, config, ...}:
    {
      services.openssh.enable = true;
      nixpkgs.system = "i686-linux";
      services.openssh.ports = [ 22  2222 ];
      services.fail2ban.enable = true;
    };
}

and it works fine.

@globin globin merged commit fa0a63e into NixOS:master Dec 14, 2016
@globin
Copy link
Member

globin commented Dec 14, 2016

Squash-merged, thanks 👍

@c0bw3b
Copy link
Contributor Author

c0bw3b commented Dec 14, 2016

Thanks @globin
Yes sorry about the remote-tracking commits... will avoid playing with Github Desktop on something intended to become a PR on Nixos from now on. :)

@c0bw3b c0bw3b deleted the fail2ban-service branch December 14, 2016 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants