From bc83c818db3f5dfa0161cf6bd736c40a8bdc8a56 Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Sat, 15 Oct 2022 12:16:05 +0000
Subject: [PATCH] honeypot for banning port scanners

---
 modules/gaming/minecraft-server.nix |  2 +-
 modules/services/honeypot.nix       | 75 +++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 modules/services/honeypot.nix

diff --git a/modules/gaming/minecraft-server.nix b/modules/gaming/minecraft-server.nix
index f27b6f0..296f858 100644
--- a/modules/gaming/minecraft-server.nix
+++ b/modules/gaming/minecraft-server.nix
@@ -3,7 +3,7 @@
 let
 
   localPort = 25564;
-  publicPort = 25565;
+  publicPort = 49732;
   rconPort = 25575;
   rconPassword = "thiscanbeanything";
 
diff --git a/modules/services/honeypot.nix b/modules/services/honeypot.nix
new file mode 100644
index 0000000..b8e79b6
--- /dev/null
+++ b/modules/services/honeypot.nix
@@ -0,0 +1,75 @@
+{ lib, pkgs, ... }:
+
+# Currently has some issues that don't make this viable.
+
+# Taken from:
+# https://dataswamp.org/~solene/2022-09-29-iblock-implemented-in-nixos.html
+
+# You will need to flush all rules when removing:
+# https://serverfault.com/questions/200635/best-way-to-clear-all-iptables-rules
+
+let
+
+  portsToBlock = [ 25545 25565 25570 ];
+  portsString =
+    builtins.concatStringsSep "," (builtins.map builtins.toString portsToBlock);
+
+  # Block IPs for 20 days
+  expire = 60 * 60 * 24 * 20;
+
+  rules = table: [
+    "INPUT -i eth0 -p tcp -m multiport --dports ${portsString} -m state --state NEW -m recent --set"
+    "INPUT -i eth0 -p tcp -m multiport --dports ${portsString} -m state --state NEW -m recent --update --seconds 10 --hitcount 1 -j SET --add-set ${table} src"
+    "INPUT -i eth0 -p tcp -m set --match-set ${table} src -j nixos-fw-refuse"
+    "INPUT -i eth0 -p udp -m set --match-set ${table} src -j nixos-fw-refuse"
+  ];
+
+  create-rules = lib.concatStringsSep "\n"
+    (builtins.map (rule: "iptables -C " + rule + " || iptables -A " + rule)
+      (rules "blocked") ++ builtins.map
+      (rule: "ip6tables -C " + rule + " || ip6tables -A " + rule)
+      (rules "blocked6"));
+
+  delete-rules = lib.concatStringsSep "\n"
+    (builtins.map (rule: "iptables -C " + rule + " && iptables -D " + rule)
+      (rules "blocked") ++ builtins.map
+      (rule: "ip6tables -C " + rule + " && ip6tables -D " + rule)
+      (rules "blocked6"));
+
+in {
+
+  networking.firewall = {
+
+    extraPackages = [ pkgs.ipset ];
+    # allowedTCPPorts = portsToBlock;
+
+    # Restore ban list when starting up
+    extraCommands = ''
+      if test -f /var/lib/ipset.conf
+      then
+          ipset restore -! < /var/lib/ipset.conf
+      else
+          ipset -exist create blocked hash:ip ${
+            if expire > 0 then "timeout ${toString expire}" else ""
+          }
+          ipset -exist create blocked6 hash:ip family inet6 ${
+            if expire > 0 then "timeout ${toString expire}" else ""
+          }
+      fi
+      ${create-rules}
+    '';
+
+    # Save list when shutting down
+    extraStopCommands = ''
+      ipset -exist create blocked hash:ip ${
+        if expire > 0 then "timeout ${toString expire}" else ""
+      }
+      ipset -exist create blocked6 hash:ip family inet6 ${
+        if expire > 0 then "timeout ${toString expire}" else ""
+      }
+      ipset save > /var/lib/ipset.conf
+      ${delete-rules}
+    '';
+  };
+
+}