forked from mirrors/nixpkgs
Merge pull request #100255 from nh2/sshd-default-log-level-info
sshd service: Default to INFO logLevel (upstream default)
This commit is contained in:
commit
959c4e82bc
|
@ -321,7 +321,26 @@
|
|||
</section>
|
||||
<section xml:id="sec-release-21.11-notable-changes">
|
||||
<title>Other Notable Changes</title>
|
||||
<para>
|
||||
</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
The setting
|
||||
<link xlink:href="options.html#opt-services.openssh.logLevel"><literal>services.openssh.logLevel</literal></link>
|
||||
<literal>"VERBOSE"</literal>
|
||||
<literal>"INFO"</literal>. This brings NixOS in line
|
||||
with upstream and other Linux distributions, and reduces log
|
||||
spam on servers due to bruteforcing botnets.
|
||||
</para>
|
||||
<para>
|
||||
However, if
|
||||
<link xlink:href="options.html#opt-services.fail2ban.enable"><literal>services.fail2ban.enable</literal></link>
|
||||
is <literal>true</literal>, the <literal>fail2ban</literal>
|
||||
will override the verbosity to
|
||||
<literal>"VERBOSE"</literal>, so that
|
||||
<literal>fail2ban</literal> can observe the failed login
|
||||
attempts from the SSH logs.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
|
|
@ -79,3 +79,7 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
old 2.7.7 version.
|
||||
|
||||
## Other Notable Changes {#sec-release-21.11-notable-changes}
|
||||
|
||||
- The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.
|
||||
|
||||
However, if [`services.fail2ban.enable`](options.html#opt-services.fail2ban.enable) is `true`, the `fail2ban` will override the verbosity to `"VERBOSE"`, so that `fail2ban` can observe the failed login attempts from the SSH logs.
|
||||
|
|
|
@ -351,15 +351,12 @@ in
|
|||
|
||||
logLevel = mkOption {
|
||||
type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ];
|
||||
default = "VERBOSE";
|
||||
default = "INFO"; # upstream default
|
||||
description = ''
|
||||
Gives the verbosity level that is used when logging messages from sshd(8). The possible values are:
|
||||
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is VERBOSE. DEBUG and DEBUG1
|
||||
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1
|
||||
are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level
|
||||
violates the privacy of users and is not recommended.
|
||||
|
||||
LogLevel VERBOSE logs user's key fingerprint on login.
|
||||
Needed to have a clear audit track of which key was used to log in.
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
@ -45,7 +45,12 @@ in
|
|||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = "Whether to enable the fail2ban service.";
|
||||
description = ''
|
||||
Whether to enable the fail2ban service.
|
||||
|
||||
See the documentation of <option>services.fail2ban.jails</option>
|
||||
for what jails are enabled by default.
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
|
@ -221,6 +226,15 @@ in
|
|||
defined in <filename>/etc/fail2ban/action.d</filename>,
|
||||
while filters are defined in
|
||||
<filename>/etc/fail2ban/filter.d</filename>.
|
||||
|
||||
NixOS comes with a default <literal>sshd</literal> jail;
|
||||
for it to work well,
|
||||
<option>services.openssh.logLevel</option> should be set to
|
||||
<literal>"VERBOSE"</literal> or higher so that fail2ban
|
||||
can observe failed login attempts.
|
||||
This module sets it to <literal>"VERBOSE"</literal> if
|
||||
not set otherwise, so enabling fail2ban can make SSH logs
|
||||
more verbose.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -313,6 +327,9 @@ in
|
|||
banaction_allports = ${cfg.banaction-allports}
|
||||
'';
|
||||
# Block SSH if there are too many failing connection attempts.
|
||||
# Benefits from verbose sshd logging to observe failed login attempts,
|
||||
# so we set that here unless the user overrode it.
|
||||
services.openssh.logLevel = lib.mkDefault "VERBOSE";
|
||||
services.fail2ban.jails.sshd = mkDefault ''
|
||||
enabled = true
|
||||
port = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}
|
||||
|
|
Loading…
Reference in a new issue