From 6fc8b69fff83368029ae43a8cc3537fca66a131a Mon Sep 17 00:00:00 2001
From: Infinidoge <infinidoge@inx.moe>
Date: Fri, 26 Apr 2024 05:23:15 -0400
Subject: [PATCH] Infini-OPTIPLEX: add nginx url probe jail

---
 hosts/Infini-OPTIPLEX/default.nix | 15 +++++++++++++++
 hosts/Infini-OPTIPLEX/web.nix     | 14 +++++---------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/hosts/Infini-OPTIPLEX/default.nix b/hosts/Infini-OPTIPLEX/default.nix
index d391368..11c6155 100644
--- a/hosts/Infini-OPTIPLEX/default.nix
+++ b/hosts/Infini-OPTIPLEX/default.nix
@@ -60,6 +60,21 @@
 
   services.fail2ban.enable = true;
 
+  environment.etc."fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git|notifications)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
+  '');
+
+  services.fail2ban.jails.nginx-url-probe.settings = {
+    enabled = true;
+    filter = "nginx-url-probe";
+    logpath = "/var/log/nginx/access.log";
+    action = "%(action_)s[blocktype=DROP]";
+    backend = "auto";
+    maxretry = 5;
+    findtime = 600;
+  };
+
   services.nginx.enable = true;
 
   security.acme.certs."inx.moe" = {
diff --git a/hosts/Infini-OPTIPLEX/web.nix b/hosts/Infini-OPTIPLEX/web.nix
index 2b168d9..bf77d72 100644
--- a/hosts/Infini-OPTIPLEX/web.nix
+++ b/hosts/Infini-OPTIPLEX/web.nix
@@ -23,18 +23,14 @@ in
         root = "/srv/web/inx.moe";
         tryFiles = "$uri $uri.html $uri/ =404";
         extraConfig = ''
-          deny all;
+          error_page 403 /403.html;
+          error_page 404 /404.html;
 
-          error_page 403 404 /404.html;
+          location ^~ /.well-known { allow all; }
 
           location = /template.html { deny all; }
-          location /.git { deny all; }
-
-          location = /404.html { allow all; internal; }
-
-          location ~* "\.(html|css|txt)$" { allow all; }
-          location ~ "/[^.]+" { allow all; }
-          location ~ "/$" { allow all; }
+          location ~* "\.(nix|lock)" { deny all; }
+          location ~ "/\..+" { deny all; }
         '';
       };
     };