Initial commit: homelab configuration and documentation

security/fail2ban/filter.d/portainer.conf

@@ -0,0 +1,5 @@
+[Definition]
+# Portainer authentication failure filter
+failregex = ^.*"remote_addr":"<HOST>".*"status":401.*$
+            ^.*Failed login attempt from <HOST>.*$
+ignoreregex =

security/fail2ban/filter.d/traefik-auth.conf

@@ -0,0 +1,5 @@
+[Definition]
+# Traefik authentication failure filter
+failregex = ^<HOST> - \S+ \[.*\] "\S+ \S+ \S+" 401 .*$
+            ^.*ClientIP":"<HOST>".*"RequestMethod":"\S+".*"OriginStatus":401.*$
+ignoreregex =

security/fail2ban/jail.local

@@ -0,0 +1,30 @@
+[DEFAULT]
+# Ban duration: 1 hour
+bantime = 3600
+# Find time window: 10 minutes
+findtime = 600
+# Max retry attempts before ban
+maxretry = 5
+# Backend for monitoring
+backend = systemd
+
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+
+[portainer]
+enabled = true
+port = 9000,9443
+filter = portainer
+logpath = /var/log/portainer/portainer.log
+maxretry = 5
+
+[traefik-auth]
+enabled = true
+port = http,https
+filter = traefik-auth
+logpath = /var/log/traefik/access.log
+maxretry = 5