Harden networking (mostly)
This commit is contained in:
parent
3f30c8601f
commit
3e7277239a
|
@ -25,6 +25,7 @@
|
|||
common
|
||||
admin
|
||||
hardware-hetzner
|
||||
hardened
|
||||
agenix.nixosModule
|
||||
forgejo
|
||||
caddy
|
||||
|
|
|
@ -2,14 +2,7 @@
|
|||
|
||||
{
|
||||
time.timeZone = "UTC";
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
# require public key authentication for better security
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
};
|
||||
};
|
||||
services.openssh.enable = true;
|
||||
services.journald.extraConfig = ''
|
||||
SystemMaxUse=1G
|
||||
SystemMaxFileSize=100M
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
{ config, pkgs, inputs, ... }:
|
||||
|
||||
# A bunch of this is lifted from
|
||||
# <https://mdleom.com/blog/2020/03/04/caddy-nixos-part-2>
|
||||
|
||||
{
|
||||
# require public key authentication for better security
|
||||
services.openssh.settings = {
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
};
|
||||
# Use when PasswordAuthentication/KbdInteractiveAuthentication is enabled
|
||||
# services.fail2ban.enable = true;
|
||||
|
||||
# Disable `useradd` and `passwd`
|
||||
users.mutableUsers = false;
|
||||
|
||||
# DNS over TLS
|
||||
services.stubby = {
|
||||
enable = true;
|
||||
settings = {
|
||||
# ::1 cause error, use 0::1 instead
|
||||
listen_addresses = [ "127.0.0.1" "0::1" ];
|
||||
# https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example
|
||||
resolution_type = "GETDNS_RESOLUTION_STUB";
|
||||
dns_transport_list = [ "GETDNS_TRANSPORT_TLS" ];
|
||||
tls_authentication = "GETDNS_AUTHENTICATION_REQUIRED";
|
||||
tls_query_padding_blocksize = 128;
|
||||
idle_timeout = 10000;
|
||||
round_robin_upstreams = 1;
|
||||
tls_min_version = "GETDNS_TLS1_3";
|
||||
dnssec = "GETDNS_EXTENSION_TRUE";
|
||||
upstream_recursive_servers = [
|
||||
{address_data = "1.1.1.2"; # .2 is the malware-blocked version
|
||||
tls_auth_name = "cloudflare-dns.com";}
|
||||
{address_data = "1.0.0.2";
|
||||
tls_auth_name = "cloudflare-dns.com";}
|
||||
{address_data = "2606:4700:4700::1112";
|
||||
tls_auth_name = "cloudflare-dns.com";}
|
||||
{address_data = "2606:4700:4700::1002";
|
||||
tls_auth_name = "cloudflare-dns.com";}
|
||||
{address_data = "9.9.9.9";
|
||||
tls_auth_name = "dns.quad9.net";}
|
||||
{address_data = "149.112.112.112";
|
||||
tls_auth_name = "dns.quad9.net";}
|
||||
{address_data = "2620:fe::fe";
|
||||
tls_auth_name = "dns.quad9.net";}
|
||||
{address_data = "2620:fe::9";
|
||||
tls_auth_name = "dns.quad9.net";}
|
||||
];
|
||||
};
|
||||
};
|
||||
# Fallback incase stubby/DNS-over-TLS is unresponsive
|
||||
networking.nameservers = ["::1" "127.0.0.1"];
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
fallbackDns = ["2606:4700:4700::1112" "2606:4700:4700::1002"
|
||||
"1.1.1.2" "1.0.0.2"];
|
||||
};
|
||||
|
||||
# Network stack hardening + perf
|
||||
boot.kernelModules = [ "tcp_bbr" ];
|
||||
boot.kernel.sysctl = {
|
||||
# Disable magic SysRq key
|
||||
"kernel.sysrq" = 0;
|
||||
# Ignore ICMP broadcasts to avoid participating in Smurf attacks
|
||||
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
|
||||
# Ignore bad ICMP errors
|
||||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||||
# Reverse-path filter for spoof protection
|
||||
"net.ipv4.conf.default.rp_filter" = 1;
|
||||
"net.ipv4.conf.all.rp_filter" = 1;
|
||||
# SYN flood protection
|
||||
"net.ipv4.tcp_syncookies" = 1;
|
||||
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
# Do not accept IP source route packets (we are not a router)
|
||||
"net.ipv4.conf.all.accept_source_route" = 0;
|
||||
"net.ipv6.conf.all.accept_source_route" = 0;
|
||||
# Protect against tcp time-wait assassination hazards
|
||||
"net.ipv4.tcp_rfc1337" = 1;
|
||||
# TCP Fast Open (TFO)
|
||||
"net.ipv4.tcp_fastopen" = 3;
|
||||
## Bufferbloat mitigations
|
||||
# Requires >= 4.9 & kernel module
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
# Requires >= 4.19
|
||||
"net.core.default_qdisc" = "cake";
|
||||
};
|
||||
}
|
|
@ -12,7 +12,6 @@
|
|||
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
kernelModules = [ ];
|
||||
kernelParams = [
|
||||
"console=tty1"
|
||||
"console=ttyS0,115200"
|
||||
|
|
Loading…
Reference in New Issue