From a68fc5cb0de2adbcabf81649436d902eadc052ca Mon Sep 17 00:00:00 2001 From: Devin Finlinson Date: Fri, 21 Nov 2025 22:35:08 -0700 Subject: two changes: first, set up rsyslog and fail2ban to block router spam (not yet working as fail2ban can't access ssh keys without permissions) second, set up a port forward to doretta for minecraft servers (seems to work first try) --- machines/biski/default.nix | 91 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 89 insertions(+), 2 deletions(-) diff --git a/machines/biski/default.nix b/machines/biski/default.nix index 1255911..b05d289 100644 --- a/machines/biski/default.nix +++ b/machines/biski/default.nix @@ -34,6 +34,71 @@ }; security.pam.sshAgentAuth.enable = true; + services.rsyslogd = { + enable = true; + extraConfig = '' + $ModLoad imudp + $UDPServerRun 10514 + *.* /var/log/rsyslog-remote.log + ''; + }; + + environment.etc = { + "fail2ban/action.d/routeros.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Init] + + # SSH credentials to use to log into the router + user = FCWadmin + port = 2200 + pubkey = /etc/fail2ban/.id_routeros + + # SSH connection command + ssh = /run/current-system/sw/bin/ssh + cmd = -i -p @64.77.244.138 + + # What to do on ban. + action = tarpit + chain = fail2ban + + # Command-shortening aliases + iff = /ip/firewall/filter + what = src-address="" chain="" + addwhat = dst-port="" proto="tcp" action="" + + [Definition] + + actionban = ' add place-before=0' + actionunban = ' remove numbers=[find ]' + ''); + + # Defines a filter for Mikrotik login failures by reading rsyslog + "fail2ban/filter.d/routeros-rsyslog-sshd.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + _router = ([a-zA-Z0-9.-]+) + failregex = ^\s?<_router> .* login failure for user .* from via ssh + ''); + }; + services.fail2ban = { + enable = true; + ignoreIP = [ + # Whitelist some subnets + "205.192.218.182/29" + "10.0.0.0/8" + ]; + jails = { + routeros-rsyslog-sshd.settings = { + enabled = true; + filter = "routeros-rsyslog-sshd"; + action = "routeros"; + logpath = "/var/log/rsyslog-remote.log"; + backend = "polling"; + ignoreself = true; + maxretry = 3; + findtime = 600; + }; + }; + }; + # Set your time zone. time.timeZone = "US/Mountain"; @@ -65,8 +130,30 @@ }; # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; + networking.firewall.allowedTCPPorts = [ 25565 ]; + networking.firewall.allowedUDPPorts = [ 10514 ]; + networking.nftables = { + enable = true; + ruleset = '' + table ip nat { + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + iifname "eno1" tcp dport 25565 dnat to 100.64.0.2:25565 + } + } + ''; + }; + networking.nat = { + enable = true; + internalInterfaces = [ "eno1" ]; + externalInterface = "tailscale0"; + forwardPorts = [{ + sourcePort = 25565; + proto = "tcp"; + destination = "100.64.0.2:25565"; + }]; + }; + # Or disable the firewall altogether. # networking.firewall.enable = false; -- cgit v1.2.3 From 173df9aa7c7969acfea4c35a7d314bc61361b630 Mon Sep 17 00:00:00 2001 From: Devin Finlinson Date: Sat, 22 Nov 2025 11:35:17 -0700 Subject: update --- flake.lock | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/flake.lock b/flake.lock index 832e04d..7c9f8e4 100644 --- a/flake.lock +++ b/flake.lock @@ -310,7 +310,7 @@ "hugo-congo": { "flake": false, "locked": { - "narHash": "sha256-1SjemV/8NUSjQB3SdmuM6ALnDsgGp8aQhrNUvJ0rxWU=", + "narHash": "sha256-2dyCZ+/p3lYMWr1MIQJSFxH2k/NsCNHxDWKAW0F7o7k=", "type": "file", "url": "https://github.com/jpanther/congo" }, @@ -395,11 +395,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1763071594, - "narHash": "sha256-s5FF0rQE6UIBAUfqk5ZqGedU3bhW0OvXfmz5lzJGurY=", + "lastModified": 1763819976, + "narHash": "sha256-W/893N/ifviI1PP1BVIwhYhstN8s5UOsi5lvaYupXhA=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "43527d363472b52f17dd9f9f4f87ec25cbf8a399", + "rev": "e584a8bade2617899d69ae6f83011d0c1d2a9df7", "type": "github" }, "original": { @@ -495,11 +495,11 @@ ] }, "locked": { - "lastModified": 1758927902, - "narHash": "sha256-LZgMds7M94+vuMql2bERQ6LiFFdhgsEFezE4Vn+Ys3A=", + "lastModified": 1763254292, + "narHash": "sha256-JNgz3Fz2KMzkT7aR72wsgu/xNeJB//LSmdilh8Z/Zao=", "owner": "hyprwm", "repo": "hyprlang", - "rev": "4dafa28d4f79877d67a7d1a654cddccf8ebf15da", + "rev": "deea98d5b61d066bdc7a68163edd2c4bd28d3a6b", "type": "github" }, "original": { @@ -572,11 +572,11 @@ ] }, "locked": { - "lastModified": 1762387740, - "narHash": "sha256-gQ9zJ+pUI4o+Gh4Z6jhJll7jjCSwi8ZqJIhCE2oqwhQ=", + "lastModified": 1763323331, + "narHash": "sha256-+Z0OfCo1MS8/aIutSAW5aJR9zTae1wz9kcJYMgpwN6M=", "owner": "hyprwm", "repo": "hyprutils", - "rev": "926689ddb9c0a8787e58c02c765a62e32d63d1f7", + "rev": "0c6411851cc779d551edc89b83966696201611aa", "type": "github" }, "original": { @@ -670,11 +670,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1762200934, - "narHash": "sha256-Bv4ZKRPsIc6W7qF1I2fevxFETqRNuG3XOsiRIfJ7YlQ=", + "lastModified": 1763429621, + "narHash": "sha256-xJD3vjEdDP+/XKLgPAkaX44s2xuiAeOhCdjs2jrALY4=", "owner": "astro", "repo": "microvm.nix", - "rev": "1d05a3c26dbb9d4b1cd644e10713a70d8740cb6a", + "rev": "c4e4a264da114c618251b17eb4c959f86376e530", "type": "github" }, "original": { @@ -828,11 +828,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1762844143, - "narHash": "sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI=", + "lastModified": 1763678758, + "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4", + "rev": "117cc7f94e8072499b0a7aa4c52084fa4e11cc9b", "type": "github" }, "original": { @@ -860,11 +860,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1762756533, - "narHash": "sha256-HiRDeUOD1VLklHeOmaKDzf+8Hb7vSWPVFcWwaTrpm+U=", + "lastModified": 1763622513, + "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c2448301fb856e351aab33e64c33a3fc8bcf637d", + "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b", "type": "github" }, "original": { @@ -900,11 +900,11 @@ ] }, "locked": { - "lastModified": 1762441963, - "narHash": "sha256-j+rNQ119ffYUkYt2YYS6rnd6Jh/crMZmbqpkGLXaEt0=", + "lastModified": 1763319842, + "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "8e7576e79b88c16d7ee3bbd112c8d90070832885", + "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", "type": "github" }, "original": { @@ -944,11 +944,11 @@ ] }, "locked": { - "lastModified": 1763069729, - "narHash": "sha256-A91a+K0Q9wfdPLwL06e/kbHeAWSzPYy2EGdTDsyfb+s=", + "lastModified": 1763607916, + "narHash": "sha256-VefBA1JWRXM929mBAFohFUtQJLUnEwZ2vmYUNkFnSjE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "a2bcd1c25c1d29e22756ccae094032ab4ada2268", + "rev": "877bb495a6f8faf0d89fc10bd142c4b7ed2bcc0b", "type": "github" }, "original": { -- cgit v1.2.3