hardening

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 05:12:34 +02:00 · 2026-04-11 11:27:39 +02:00
parent 28b7923e47
commit 2326857f65
6 changed files with 59 additions and 9 deletions
@@ -6,7 +6,6 @@
    ../../nixos/systemd-boot.nix
    ../../nixos/users.nix
    ../../nixos/utils.nix
-    ../../nixos/docker.nix
    ../../nixos/amd-graphics.nix

    # NixOS server modules
@@ -23,7 +22,7 @@
    ../../server-modules/stirling-pdf.nix
    ../../server-modules/cyberchef.nix
    ../../server-modules/mazanoke.nix
-    ../../server-modules/nginx.nix
+    ../../server-modules/kernel-hardening.nix
    ../../server-modules/fail2ban.nix
    ../../server-modules/default-creds.nix
    ../../server-modules/umami.nix
@@ -6,6 +6,11 @@
 }: let
  autoGarbageCollector = config.var.autoGarbageCollector;
 in {
+  # Ask for password once per SSH session (tied to the tty, expires when session closes)
+  security.sudo.extraConfig = ''
+    Defaults timestamp_type=tty,timestamp_timeout=-1
+  '';
+
  security.sudo.extraRules = [
    {
      users = [config.var.username];
@@ -19,7 +24,7 @@ in {
  ];
  nixpkgs.config = {
    allowUnfree = true;
-    allowBroken = true;
+    allowBroken = false;
  };
  nix = {
    nixPath = ["nixpkgs=${inputs.nixpkgs}"];
@@ -0,0 +1,35 @@
+# Kernel hardening for the server
+{
+  boot.kernel.sysctl = {
+    # Restrict access to kernel logs and pointers
+    "kernel.dmesg_restrict" = 1;
+    "kernel.kptr_restrict" = 2;
+
+    # BPF hardening
+    "net.core.bpf_jit_harden" = 2;
+    "kernel.unprivileged_bpf_disabled" = 1;
+
+    # Reverse path filtering (anti-spoofing)
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+
+    # SYN flood protection
+    "net.ipv4.tcp_syncookies" = 1;
+
+    # Disable IP source routing
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv4.conf.default.accept_source_route" = 0;
+
+    # Ignore ICMP redirects (prevent MITM)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+
+    # Don't send ICMP redirects
+    "net.ipv4.conf.all.send_redirects" = 0;
+
+    # Restrict ptrace to parent processes only
+    "kernel.yama.ptrace_scope" = 1;
+  };
+}
@@ -7,6 +7,13 @@
 #   externalInterface - WAN interface for NAT, required when internet = true
 #   bindMounts        - host paths to mount into the container (see containers.<name>.bindMounts)
 #   config            - NixOS module for the container
+
+let
+  nginxHardening = { config, ... }: lib.mkIf config.services.nginx.enable {
+    services.nginx.serverTokens = false;
+  };
+in
+
 {
  mkContainer =
    {
@@ -29,7 +36,7 @@
        localAddress = containerIp;
        inherit bindMounts;
        config = { ... }: {
-          imports = [ nixosConfig ];
+          imports = [ nixosConfig nginxHardening ];
          networking.nameservers = lib.mkIf internet [ "1.1.1.1" "1.0.0.1" ];
        };
      };
@@ -1,5 +0,0 @@
-{
-  services.nginx = {
-    enable = true;
-  };
-}
@@ -10,6 +10,15 @@ in {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      AllowUsers = [username];
+      MaxAuthTries = 3;
+      LoginGraceTime = 20;
+      X11Forwarding = false;
+      AllowAgentForwarding = false;
+      AllowTcpForwarding = false;
+      ClientAliveInterval = 300;
+      ClientAliveCountMax = 2;
+      KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"];
+      Ciphers = ["chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com"];
    };
  };