fail2ban service : improve ssh jail (#21131)

Improvement to the ssh-iptables to block the port(s) actually defined for sshd in config.services.openssh.ports
2016-12-14 14:58:02 +01:00 · 2016-12-14 14:58:02 +01:00 · fa0a63ec13
parent c3edaab52d
commit fa0a63ec13
1 changed files with 1 additions and 1 deletions
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@ -143,7 +143,7 @@ in
    services.fail2ban.jails.ssh-iptables =
      ''
        filter   = sshd
-        action   = iptables[name=SSH, port=ssh, protocol=tcp]
+        action   = iptables-multiport[name=SSH, port="${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}", protocol=tcp]
        maxretry = 5
      '';