🚀 add more security defaults
This commit is contained in:
parent
9dbe5c9aac
commit
bc0d686e81
1 changed files with 18 additions and 2 deletions
|
@ -49,6 +49,9 @@
|
||||||
"net.ipv4.tcp_syncookies" = 1;
|
"net.ipv4.tcp_syncookies" = 1;
|
||||||
# Incomplete protection again TIME-WAIT assassination
|
# Incomplete protection again TIME-WAIT assassination
|
||||||
"net.ipv4.tcp_rfc1337" = 1;
|
"net.ipv4.tcp_rfc1337" = 1;
|
||||||
|
# Log martian packages
|
||||||
|
"net.ipv4.conf.all.log_martians" = 1;
|
||||||
|
"net.ipv4.conf.default.log_martians" = 1;
|
||||||
|
|
||||||
## TCP optimization
|
## TCP optimization
|
||||||
# TCP Fast Open is a TCP extension that reduces network latency by packing
|
# TCP Fast Open is a TCP extension that reduces network latency by packing
|
||||||
|
@ -77,6 +80,19 @@
|
||||||
};
|
};
|
||||||
security.sudo.enable = !config.security.doas.enable;
|
security.sudo.enable = !config.security.doas.enable;
|
||||||
|
|
||||||
|
# SSH
|
||||||
|
services.openssh = {
|
||||||
# Disable ssh password login
|
# Disable ssh password login
|
||||||
services.openssh.passwordAuthentication = lib.mkDefault false;
|
passwordAuthentication = lib.mkDefault false;
|
||||||
|
logLevel = "VERBOSE";
|
||||||
|
extraConfig = ''
|
||||||
|
AllowAgentForwarding no
|
||||||
|
AllowTcpForwarding no
|
||||||
|
ClientAliveCountMax 2
|
||||||
|
Compression no
|
||||||
|
MaxAuthTries 3
|
||||||
|
MaxSessions 2
|
||||||
|
TCPKeepAlive no
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue