From 2326857f65f1748afa74d8445b04422024b2d270 Mon Sep 17 00:00:00 2001 From: Hadi <112569860+anotherhadi@users.noreply.github.com> Date: Sat, 11 Apr 2026 11:27:39 +0200 Subject: [PATCH] hardening Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com> --- hosts/server/configuration.nix | 3 +-- nixos/nix.nix | 7 +++++- server-modules/kernel-hardening.nix | 35 +++++++++++++++++++++++++++++ server-modules/mk-container.nix | 9 +++++++- server-modules/nginx.nix | 5 ----- server-modules/ssh.nix | 9 ++++++++ 6 files changed, 59 insertions(+), 9 deletions(-) create mode 100644 server-modules/kernel-hardening.nix delete mode 100644 server-modules/nginx.nix diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index a028893..429e6e5 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -6,7 +6,6 @@ ../../nixos/systemd-boot.nix ../../nixos/users.nix ../../nixos/utils.nix - ../../nixos/docker.nix ../../nixos/amd-graphics.nix # NixOS server modules @@ -23,7 +22,7 @@ ../../server-modules/stirling-pdf.nix ../../server-modules/cyberchef.nix ../../server-modules/mazanoke.nix - ../../server-modules/nginx.nix + ../../server-modules/kernel-hardening.nix ../../server-modules/fail2ban.nix ../../server-modules/default-creds.nix ../../server-modules/umami.nix diff --git a/nixos/nix.nix b/nixos/nix.nix index 4bc5512..c6c52de 100644 --- a/nixos/nix.nix +++ b/nixos/nix.nix @@ -6,6 +6,11 @@ }: let autoGarbageCollector = config.var.autoGarbageCollector; in { + # Ask for password once per SSH session (tied to the tty, expires when session closes) + security.sudo.extraConfig = '' + Defaults timestamp_type=tty,timestamp_timeout=-1 + ''; + security.sudo.extraRules = [ { users = [config.var.username]; @@ -19,7 +24,7 @@ in { ]; nixpkgs.config = { allowUnfree = true; - allowBroken = true; + allowBroken = false; }; nix = { nixPath = ["nixpkgs=${inputs.nixpkgs}"]; diff --git a/server-modules/kernel-hardening.nix b/server-modules/kernel-hardening.nix new file mode 100644 index 0000000..34b8de5 --- /dev/null +++ b/server-modules/kernel-hardening.nix @@ -0,0 +1,35 @@ +# Kernel hardening for the server +{ + boot.kernel.sysctl = { + # Restrict access to kernel logs and pointers + "kernel.dmesg_restrict" = 1; + "kernel.kptr_restrict" = 2; + + # BPF hardening + "net.core.bpf_jit_harden" = 2; + "kernel.unprivileged_bpf_disabled" = 1; + + # Reverse path filtering (anti-spoofing) + "net.ipv4.conf.all.rp_filter" = 1; + "net.ipv4.conf.default.rp_filter" = 1; + + # SYN flood protection + "net.ipv4.tcp_syncookies" = 1; + + # Disable IP source routing + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv4.conf.default.accept_source_route" = 0; + + # Ignore ICMP redirects (prevent MITM) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + + # Don't send ICMP redirects + "net.ipv4.conf.all.send_redirects" = 0; + + # Restrict ptrace to parent processes only + "kernel.yama.ptrace_scope" = 1; + }; +} diff --git a/server-modules/mk-container.nix b/server-modules/mk-container.nix index 2a1634d..e7bcbe8 100644 --- a/server-modules/mk-container.nix +++ b/server-modules/mk-container.nix @@ -7,6 +7,13 @@ # externalInterface - WAN interface for NAT, required when internet = true # bindMounts - host paths to mount into the container (see containers..bindMounts) # config - NixOS module for the container + +let + nginxHardening = { config, ... }: lib.mkIf config.services.nginx.enable { + services.nginx.serverTokens = false; + }; +in + { mkContainer = { @@ -29,7 +36,7 @@ localAddress = containerIp; inherit bindMounts; config = { ... }: { - imports = [ nixosConfig ]; + imports = [ nixosConfig nginxHardening ]; networking.nameservers = lib.mkIf internet [ "1.1.1.1" "1.0.0.1" ]; }; }; diff --git a/server-modules/nginx.nix b/server-modules/nginx.nix deleted file mode 100644 index a556ccd..0000000 --- a/server-modules/nginx.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - services.nginx = { - enable = true; - }; -} diff --git a/server-modules/ssh.nix b/server-modules/ssh.nix index 73a4dfc..fc8995f 100644 --- a/server-modules/ssh.nix +++ b/server-modules/ssh.nix @@ -10,6 +10,15 @@ in { PermitRootLogin = "no"; PasswordAuthentication = false; AllowUsers = [username]; + MaxAuthTries = 3; + LoginGraceTime = 20; + X11Forwarding = false; + AllowAgentForwarding = false; + AllowTcpForwarding = false; + ClientAliveInterval = 300; + ClientAliveCountMax = 2; + KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"]; + Ciphers = ["chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com"]; }; };