From bc0d686e81e435236f0b2cccd2a5ac921590d111 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Mon, 18 Apr 2022 12:26:17 +0200 Subject: [PATCH] :rocket: add more security defaults --- modules/security.nix | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/modules/security.nix b/modules/security.nix index 26e16f4..956bb8a 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -49,6 +49,9 @@ "net.ipv4.tcp_syncookies" = 1; # Incomplete protection again TIME-WAIT assassination "net.ipv4.tcp_rfc1337" = 1; + # Log martian packages + "net.ipv4.conf.all.log_martians" = 1; + "net.ipv4.conf.default.log_martians" = 1; ## TCP optimization # TCP Fast Open is a TCP extension that reduces network latency by packing @@ -77,6 +80,19 @@ }; security.sudo.enable = !config.security.doas.enable; - # Disable ssh password login - services.openssh.passwordAuthentication = lib.mkDefault false; + # SSH + services.openssh = { + # Disable ssh password login + passwordAuthentication = lib.mkDefault false; + logLevel = "VERBOSE"; + extraConfig = '' + AllowAgentForwarding no + AllowTcpForwarding no + ClientAliveCountMax 2 + Compression no + MaxAuthTries 3 + MaxSessions 2 + TCPKeepAlive no + ''; + }; }