From 2d2762d4ec0d04cf6e66856022e5a138a1feaff9 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Thu, 20 Nov 2025 15:17:06 +0100
Subject: [PATCH 1/3] Enable fail2ban in apex login node

We are seeing a lot of failed attempts from the same IPs:

    apex% sudo journalctl -u sshd -b0 | grep 'Failed password' | wc -l
    2441
---
 m/apex/configuration.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix
index 6b1073b0..2b4047a1 100644
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -57,6 +57,8 @@
     };
   };
 
+  services.fail2ban.enable = true;
+
   networking.firewall = {
     extraCommands = ''
       # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our
-- 
2.49.0


From 341551d5bae7a051952559e835b420c82b28dc91 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Thu, 20 Nov 2025 15:21:14 +0100
Subject: [PATCH 2/3] Disable password login via SSH in apex

---
 m/apex/configuration.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix
index 2b4047a1..c2a3e73e 100644
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -59,6 +59,9 @@
 
   services.fail2ban.enable = true;
 
+  # Disable SSH login with password, allow only keypair
+  services.openssh.settings.PasswordAuthentication = false;
+
   networking.firewall = {
     extraCommands = ''
       # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our
-- 
2.49.0


From 15a26570be6794397e707ec8b84b3f30ef549969 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 21 Nov 2025 12:09:01 +0100
Subject: [PATCH 3/3] Increase fail2ban ban time on each attempt

---
 m/apex/configuration.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix
index c2a3e73e..71c69f8d 100644
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -57,7 +57,14 @@
     };
   };
 
-  services.fail2ban.enable = true;
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime-increment = {
+      enable = true; # Double ban time on each attack
+      maxtime = "7d"; # Ban up to a week
+    };
+  };
 
   # Disable SSH login with password, allow only keypair
   services.openssh.settings.PasswordAuthentication = false;
-- 
2.49.0