🚀 add more security defaults
This commit is contained in:
parent
9dbe5c9aac
commit
bc0d686e81
1 changed files with 18 additions and 2 deletions
|
@ -49,6 +49,9 @@
|
|||
"net.ipv4.tcp_syncookies" = 1;
|
||||
# Incomplete protection again TIME-WAIT assassination
|
||||
"net.ipv4.tcp_rfc1337" = 1;
|
||||
# Log martian packages
|
||||
"net.ipv4.conf.all.log_martians" = 1;
|
||||
"net.ipv4.conf.default.log_martians" = 1;
|
||||
|
||||
## TCP optimization
|
||||
# TCP Fast Open is a TCP extension that reduces network latency by packing
|
||||
|
@ -77,6 +80,19 @@
|
|||
};
|
||||
security.sudo.enable = !config.security.doas.enable;
|
||||
|
||||
# SSH
|
||||
services.openssh = {
|
||||
# Disable ssh password login
|
||||
services.openssh.passwordAuthentication = lib.mkDefault false;
|
||||
passwordAuthentication = lib.mkDefault false;
|
||||
logLevel = "VERBOSE";
|
||||
extraConfig = ''
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
ClientAliveCountMax 2
|
||||
Compression no
|
||||
MaxAuthTries 3
|
||||
MaxSessions 2
|
||||
TCPKeepAlive no
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue