hardening

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>

hosts/server/configuration.nix

@@ -6,7 +6,6 @@
     ../../nixos/systemd-boot.nix
     ../../nixos/users.nix
     ../../nixos/utils.nix
-    ../../nixos/docker.nix
     ../../nixos/amd-graphics.nix
 
     # NixOS server modules
@@ -23,7 +22,7 @@
     ../../server-modules/stirling-pdf.nix
     ../../server-modules/cyberchef.nix
     ../../server-modules/mazanoke.nix
-    ../../server-modules/nginx.nix
+    ../../server-modules/kernel-hardening.nix
     ../../server-modules/fail2ban.nix
     ../../server-modules/default-creds.nix
     ../../server-modules/umami.nix

nixos/nix.nix

@@ -6,6 +6,11 @@
 }: let
   autoGarbageCollector = config.var.autoGarbageCollector;
 in {
+  # Ask for password once per SSH session (tied to the tty, expires when session closes)
+  security.sudo.extraConfig = ''
+    Defaults timestamp_type=tty,timestamp_timeout=-1
+  '';
+
   security.sudo.extraRules = [
     {
       users = [config.var.username];
@@ -19,7 +24,7 @@ in {
   ];
   nixpkgs.config = {
     allowUnfree = true;
-    allowBroken = true;
+    allowBroken = false;
   };
   nix = {
     nixPath = ["nixpkgs=${inputs.nixpkgs}"];

server-modules/kernel-hardening.nix

@@ -0,0 +1,35 @@
+# Kernel hardening for the server
+{
+  boot.kernel.sysctl = {
+    # Restrict access to kernel logs and pointers
+    "kernel.dmesg_restrict" = 1;
+    "kernel.kptr_restrict" = 2;
+
+    # BPF hardening
+    "net.core.bpf_jit_harden" = 2;
+    "kernel.unprivileged_bpf_disabled" = 1;
+
+    # Reverse path filtering (anti-spoofing)
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+
+    # SYN flood protection
+    "net.ipv4.tcp_syncookies" = 1;
+
+    # Disable IP source routing
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv4.conf.default.accept_source_route" = 0;
+
+    # Ignore ICMP redirects (prevent MITM)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+
+    # Don't send ICMP redirects
+    "net.ipv4.conf.all.send_redirects" = 0;
+
+    # Restrict ptrace to parent processes only
+    "kernel.yama.ptrace_scope" = 1;
+  };
+}

server-modules/mk-container.nix

@@ -7,6 +7,13 @@
 #   externalInterface - WAN interface for NAT, required when internet = true
 #   bindMounts        - host paths to mount into the container (see containers.<name>.bindMounts)
 #   config            - NixOS module for the container
+
+let
+  nginxHardening = { config, ... }: lib.mkIf config.services.nginx.enable {
+    services.nginx.serverTokens = false;
+  };
+in
+
 {
   mkContainer =
     {
@@ -29,7 +36,7 @@
         localAddress = containerIp;
         inherit bindMounts;
         config = { ... }: {
-          imports = [ nixosConfig ];
+          imports = [ nixosConfig nginxHardening ];
           networking.nameservers = lib.mkIf internet [ "1.1.1.1" "1.0.0.1" ];
         };
       };

server-modules/nginx.nix

@@ -1,5 +0,0 @@
-{
-  services.nginx = {
-    enable = true;
-  };
-}

server-modules/ssh.nix

@@ -10,6 +10,15 @@ in {
       PermitRootLogin = "no";
       PasswordAuthentication = false;
       AllowUsers = [username];
+      MaxAuthTries = 3;
+      LoginGraceTime = 20;
+      X11Forwarding = false;
+      AllowAgentForwarding = false;
+      AllowTcpForwarding = false;
+      ClientAliveInterval = 300;
+      ClientAliveCountMax = 2;
+      KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"];
+      Ciphers = ["chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com"];
     };
   };