minecraft: fail2ban

services/minecraft.nix

@@ -151,4 +151,24 @@
     "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
     "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
   ];
+
+  # Protect Minecraft server from connection spam / brute force attempts
+  # Based on https://github.com/fail2ban/fail2ban/pull/2852#issuecomment-3105039910
+  # Only bans IPs that fail whitelist/ban checks - NOT legitimate player disconnects
+  services.fail2ban.jails.minecraft = {
+    enabled = true;
+    settings = {
+      backend = "auto";
+      port = builtins.toString config.services.minecraft-servers.servers.${service_configs.minecraft.server_name}.serverProperties.server-port;
+      logpath = "${config.services.minecraft-servers.dataDir}/${service_configs.minecraft.server_name}/logs/latest.log";
+      # defaults: maxretry=5, findtime=10m, bantime=10m
+    };
+    filter.Definition = {
+      # Only match whitelist rejections and bans - safe patterns that won't affect legitimate players
+      # Format: [HH:MM:SS] [Server thread/INFO]: Disconnecting <name> (/<IP>:<PORT>): <reason>
+      datepattern = "^\\[%%H:%%M:%%S\\]";
+      failregex = "^\\s*\\[Server thread/INFO\\]: Disconnecting .+ \\(/<HOST>:\\d+\\): (?:You are not white-listed on this server|You are banned from this server)";
+      ignoreregex = "";
+    };
+  };
 }