2023-02-27 05:10:58 -05:00
|
|
|
|
# security tweaks borrowed from @hlissner
|
|
|
|
|
|
{
|
|
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
|
|
# The Magic SysRq key is a key combo that allows users connected to the
|
|
|
|
|
|
# system console of a Linux kernel to perform some low-level commands.
|
|
|
|
|
|
# Disable it, since we don't need it, and is a potential security concern.
|
|
|
|
|
|
"kernel.sysrq" = 0;
|
|
|
|
|
|
|
|
|
|
|
|
## TCP hardening
|
|
|
|
|
|
# Prevent bogus ICMP errors from filling up logs.
|
|
|
|
|
|
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
|
|
|
|
|
# Reverse path filtering causes the kernel to do source validation of
|
|
|
|
|
|
# packets received from all interfaces. This can mitigate IP spoofing.
|
|
|
|
|
|
"net.ipv4.conf.default.rp_filter" = 1;
|
|
|
|
|
|
"net.ipv4.conf.all.rp_filter" = 1;
|
|
|
|
|
|
# Do not accept IP source route packets (we're not a router)
|
|
|
|
|
|
"net.ipv4.conf.all.accept_source_route" = 0;
|
|
|
|
|
|
"net.ipv6.conf.all.accept_source_route" = 0;
|
|
|
|
|
|
# Don't send ICMP redirects (again, we're on a router)
|
|
|
|
|
|
"net.ipv4.conf.all.send_redirects" = 0;
|
|
|
|
|
|
"net.ipv4.conf.default.send_redirects" = 0;
|
|
|
|
|
|
# Refuse ICMP redirects (MITM mitigations)
|
|
|
|
|
|
"net.ipv4.conf.all.accept_redirects" = 0;
|
|
|
|
|
|
"net.ipv4.conf.default.accept_redirects" = 0;
|
|
|
|
|
|
"net.ipv4.conf.all.secure_redirects" = 0;
|
|
|
|
|
|
"net.ipv4.conf.default.secure_redirects" = 0;
|
|
|
|
|
|
"net.ipv6.conf.all.accept_redirects" = 0;
|
|
|
|
|
|
"net.ipv6.conf.default.accept_redirects" = 0;
|
|
|
|
|
|
# Protects against SYN flood attacks
|
|
|
|
|
|
"net.ipv4.tcp_syncookies" = 1;
|
|
|
|
|
|
# Incomplete protection again TIME-WAIT assassination
|
|
|
|
|
|
"net.ipv4.tcp_rfc1337" = 1;
|
|
|
|
|
|
|
|
|
|
|
|
## TCP optimization
|
|
|
|
|
|
# TCP Fast Open is a TCP extension that reduces network latency by packing
|
|
|
|
|
|
# data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
|
|
|
|
|
|
# both incoming and outgoing connections:
|
|
|
|
|
|
"net.ipv4.tcp_fastopen" = 3;
|
|
|
|
|
|
# Bufferbloat mitigations + slight improvement in throughput & latency
|
|
|
|
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
|
|
|
|
|
"net.core.default_qdisc" = "cake";
|
|
|
|
|
|
};
|
2023-12-30 13:33:47 -05:00
|
|
|
|
|
2023-02-27 05:10:58 -05:00
|
|
|
|
boot.kernelModules = ["tcp_bbr"];
|
|
|
|
|
|
|
|
|
|
|
|
security.acme = {
|
|
|
|
|
|
acceptTerms = true;
|
|
|
|
|
|
defaults.email = "github@notohh.dev";
|
|
|
|
|
|
};
|
2023-12-30 13:33:47 -05:00
|
|
|
|
|
2024-02-01 16:03:44 -05:00
|
|
|
|
services = {
|
|
|
|
|
|
openssh.settings.LogLevel = "VERBOSE";
|
|
|
|
|
|
fail2ban = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
bantime = "1h";
|
|
|
|
|
|
maxretry = 1;
|
|
|
|
|
|
ignoreIP = [
|
|
|
|
|
|
"192.168.0.0/16"
|
|
|
|
|
|
"172.16.0.0/12"
|
|
|
|
|
|
"10.0.0.0/8"
|
|
|
|
|
|
"5.161.102.107/32"
|
|
|
|
|
|
"100.71.49.65/10"
|
|
|
|
|
|
"100.82.146.40/10"
|
|
|
|
|
|
];
|
|
|
|
|
|
jails = {
|
|
|
|
|
|
DEFAULT = {
|
|
|
|
|
|
settings = {
|
|
|
|
|
|
findtime = 100000;
|
|
|
|
|
|
mode = "aggressive";
|
|
|
|
|
|
};
|
2023-12-30 13:33:47 -05:00
|
|
|
|
};
|
2023-07-09 04:20:20 -04:00
|
|
|
|
};
|
2023-06-25 11:09:18 -04:00
|
|
|
|
};
|
2023-06-14 04:44:39 -04:00
|
|
|
|
};
|
2023-02-27 05:10:58 -05:00
|
|
|
|
}
|
