🚀 add more security defaults

This commit is contained in:
Moritz Böhme 2022-04-18 12:26:17 +02:00
parent 9dbe5c9aac
commit bc0d686e81
No known key found for this signature in database
GPG key ID: 213820E2795F5CF5

View file

@ -49,6 +49,9 @@
"net.ipv4.tcp_syncookies" = 1; "net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination # Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1; "net.ipv4.tcp_rfc1337" = 1;
# Log martian packages
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.default.log_martians" = 1;
## TCP optimization ## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing # TCP Fast Open is a TCP extension that reduces network latency by packing
@ -77,6 +80,19 @@
}; };
security.sudo.enable = !config.security.doas.enable; security.sudo.enable = !config.security.doas.enable;
# SSH
services.openssh = {
# Disable ssh password login # Disable ssh password login
services.openssh.passwordAuthentication = lib.mkDefault false; passwordAuthentication = lib.mkDefault false;
logLevel = "VERBOSE";
extraConfig = ''
AllowAgentForwarding no
AllowTcpForwarding no
ClientAliveCountMax 2
Compression no
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
'';
};
} }