familienarchiv/infra/fail2ban/jail.d/familienarchiv.conf

# Jail definition for the Familienarchiv login endpoint.
#
# Install: ln -sf /opt/familienarchiv/infra/fail2ban/jail.d/familienarchiv.conf \
#                 /etc/fail2ban/jail.d/familienarchiv.conf
#          ln -sf /opt/familienarchiv/infra/fail2ban/filter.d/familienarchiv-auth.conf \
#                 /etc/fail2ban/filter.d/familienarchiv-auth.conf
#          systemctl reload fail2ban
#
# Verify with:
#   fail2ban-client status familienarchiv-auth
#   fail2ban-regex /var/log/caddy/access.log familienarchiv-auth
#
# Tuning rationale:
#   - maxretry 10: legitimate users mistyping passwords don't trip the jail
#   - findtime 10m: rolling window that catches automated brute force
#   - bantime 30m: long enough to discourage scripted attacks, short
#                  enough that a user who fat-fingered their VPN comes
#                  back online within a coffee break

[familienarchiv-auth]
enabled  = true
filter   = familienarchiv-auth
logpath  = /var/log/caddy/access.log
maxretry = 10
findtime = 10m
bantime  = 30m
action   = iptables-multiport[name=familienarchiv-auth, port="http,https"]