From 9fbc311c2d519644c34a4f16c32c0921cf40d5ba Mon Sep 17 00:00:00 2001
From: Arpad Krejczinger <krejczinger.arpad@gmail.com>
Date: Fri, 12 Sep 2025 20:38:07 +0200
Subject: [PATCH] Add comprehensive fail2ban security configuration

- config/fail2ban/jail.local: Main jail configuration with SSH, web, and service protection
- config/fail2ban/filter.d/sshd-ddos.conf: SSH connection flooding protection
- config/fail2ban/filter.d/nginx-badbots.conf: Web scanner and bot detection
- config/fail2ban/filter.d/gitea-auth.conf: Gitea authentication failure detection
- Includes deployment instructions for automated IP banning
---
 config/fail2ban/filter.d/gitea-auth.conf    |  9 ++
 config/fail2ban/filter.d/nginx-badbots.conf | 17 ++++
 config/fail2ban/filter.d/sshd-ddos.conf     | 10 +++
 config/fail2ban/jail.local                  | 98 +++++++++++++++++++++
 4 files changed, 134 insertions(+)
 create mode 100644 config/fail2ban/filter.d/gitea-auth.conf
 create mode 100644 config/fail2ban/filter.d/nginx-badbots.conf
 create mode 100644 config/fail2ban/filter.d/sshd-ddos.conf
 create mode 100644 config/fail2ban/jail.local

diff --git a/config/fail2ban/filter.d/gitea-auth.conf b/config/fail2ban/filter.d/gitea-auth.conf
new file mode 100644
index 0000000..ff66196
--- /dev/null
+++ b/config/fail2ban/filter.d/gitea-auth.conf
@@ -0,0 +1,9 @@
+# Fail2ban filter for Gitea authentication failures
+# Deploy to: /etc/fail2ban/filter.d/gitea-auth.conf
+
+[Definition]
+failregex = .*Failed authentication attempt for .* from <HOST>
+            .*Invalid credentials from <HOST>
+            .*Login attempt failed .* from <HOST>
+
+ignoreregex =
\ No newline at end of file
diff --git a/config/fail2ban/filter.d/nginx-badbots.conf b/config/fail2ban/filter.d/nginx-badbots.conf
new file mode 100644
index 0000000..c4d577e
--- /dev/null
+++ b/config/fail2ban/filter.d/nginx-badbots.conf
@@ -0,0 +1,17 @@
+# Fail2ban filter for nginx bad bots and scanners
+# Deploy to: /etc/fail2ban/filter.d/nginx-badbots.conf
+
+[Definition]
+failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" (400|401|403|404|405|406|407|408|409|410|411|412|413|414|415|416|417|500|501|502|503|504|505)
+            ^<HOST> -.*".*sqlmap.*"
+            ^<HOST> -.*".*nikto.*"
+            ^<HOST> -.*".*nmap.*"
+            ^<HOST> -.*".*masscan.*"
+            ^<HOST> -.*".*nessus.*"
+            ^<HOST> -.*".*openvas.*"
+            ^<HOST> -.*".*vega.*"
+            ^<HOST> -.*".*morfeus.*"
+            ^<HOST> -.*".*ZmEu.*"
+            ^<HOST> -.*".*Havij.*"
+
+ignoreregex =
\ No newline at end of file
diff --git a/config/fail2ban/filter.d/sshd-ddos.conf b/config/fail2ban/filter.d/sshd-ddos.conf
new file mode 100644
index 0000000..6565c9f
--- /dev/null
+++ b/config/fail2ban/filter.d/sshd-ddos.conf
@@ -0,0 +1,10 @@
+# Fail2ban filter for SSH DDoS attacks
+# Deploy to: /etc/fail2ban/filter.d/sshd-ddos.conf
+# Catches rapid connection attempts that may overwhelm SSH
+
+[Definition]
+failregex = ^%(__prefix_line)sConnection from <HOST> port \d+$
+            ^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$
+            ^%(__prefix_line)sDisconnected from <HOST> port \d+ \[preauth\]$
+
+ignoreregex = 
\ No newline at end of file
diff --git a/config/fail2ban/jail.local b/config/fail2ban/jail.local
new file mode 100644
index 0000000..e7ee982
--- /dev/null
+++ b/config/fail2ban/jail.local
@@ -0,0 +1,98 @@
+# Fail2ban Jail Configuration for Homelab
+# Deploy to: /etc/fail2ban/jail.local
+# 
+# Setup commands:
+#   sudo cp config/fail2ban/jail.local /etc/fail2ban/
+#   sudo systemctl restart fail2ban
+#   sudo systemctl enable fail2ban
+
+[DEFAULT]
+# Ban settings
+bantime = 3600
+findtime = 600
+maxretry = 5
+banaction = ufw
+backend = systemd
+
+# Ignore local networks and your management IPs
+ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 10.0.0.0/8
+
+# Email notifications (configure if needed)
+# destemail = your-email@domain.com
+# sender = fail2ban@homelab
+# action = %(action_mwl)s
+
+#
+# SSH Protection (Critical - Primary attack vector)
+#
+[sshd]
+enabled = true
+port = 2222
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+bantime = 7200
+findtime = 300
+
+[sshd-ddos]
+enabled = true
+port = 2222
+filter = sshd-ddos
+logpath = /var/log/auth.log
+maxretry = 6
+bantime = 3600
+findtime = 60
+
+#
+# Web Service Protection
+#
+[nginx-http-auth]
+enabled = true
+filter = nginx-http-auth
+logpath = /var/log/nginx/error.log
+maxretry = 3
+bantime = 3600
+
+[nginx-badbots]
+enabled = true
+filter = nginx-badbots
+logpath = /var/log/nginx/access.log
+maxretry = 2
+bantime = 86400
+findtime = 600
+
+[nginx-noscript]
+enabled = true
+filter = nginx-noscript
+logpath = /var/log/nginx/access.log
+maxretry = 6
+bantime = 86400
+
+[nginx-noproxy]
+enabled = true
+filter = nginx-noproxy
+logpath = /var/log/nginx/access.log
+maxretry = 2
+bantime = 86400
+
+#
+# Docker/Container Protection
+#
+[gitea-auth]
+enabled = true
+filter = gitea-auth
+logpath = /opt/docker/gitea/data/log/gitea.log
+maxretry = 5
+bantime = 1800
+findtime = 300
+
+#
+# System Protection
+#
+[systemd-auth]
+enabled = true
+filter = systemd-auth
+logpath = /var/log/auth.log
+maxretry = 5
+bantime = 3600
+findtime = 300
\ No newline at end of file