dotfiles/modules/security/default.nix

86 lines
3.2 KiB
Nix
Raw Normal View History

2022-07-15 13:11:54 +02:00
{ config
, lib
, ...
}: {
2021-09-30 19:41:08 +02:00
## System security tweaks
# Prevent replacing the running kernel w/o reboot
2023-05-07 12:05:38 +02:00
# security.protectKernelImage = lib.mkDefault true; # NOTE disabled for now to enable hibernate
2021-09-30 19:41:08 +02:00
# tmpfs = /tmp is mounted in ram. Doing so makes temp file management speedy
# on ssd systems, and volatile! Because it's wiped on reboot.
2023-04-16 17:57:53 +02:00
boot.tmp.useTmpfs = lib.mkDefault true;
2021-09-30 19:41:08 +02:00
# If not using tmpfs, which is naturally purged on reboot, we must clean it
# /tmp ourselves. /tmp should be volatile storage!
2023-05-07 12:04:17 +02:00
boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
2021-09-30 19:41:08 +02:00
# Fix a security hole in place for backwards compatibility. See desc in
# nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
boot.loader.systemd-boot.editor = false;
boot.kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're on a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
2022-04-18 12:26:17 +02:00
# Log martian packages
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.default.log_martians" = 1;
2021-09-30 19:41:08 +02:00
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelModules = [ "tcp_bbr" ];
# So we don't have to do this later...
security.acme.acceptTerms = true;
2021-12-30 11:14:32 +01:00
2022-04-18 12:26:17 +02:00
# SSH
services.openssh = {
2023-02-02 11:38:23 +01:00
settings = {
# Disable ssh password login
passwordAuthentication = lib.mkDefault false;
logLevel = "VERBOSE";
};
2022-04-18 12:26:17 +02:00
extraConfig = ''
AllowAgentForwarding no
AllowTcpForwarding no
ClientAliveCountMax 2
Compression no
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
'';
};
2021-09-30 19:41:08 +02:00
}