# security tweaks borrowed from @hlissner { boot.kernel.sysctl = { # The Magic SysRq key is a key combo that allows users connected to the # system console of a Linux kernel to perform some low-level commands. # Disable it, since we don't need it, and is a potential security concern. "kernel.sysrq" = 0; ## TCP hardening # Prevent bogus ICMP errors from filling up logs. "net.ipv4.icmp_ignore_bogus_error_responses" = 1; # Reverse path filtering causes the kernel to do source validation of # packets received from all interfaces. This can mitigate IP spoofing. "net.ipv4.conf.default.rp_filter" = 1; "net.ipv4.conf.all.rp_filter" = 1; # Do not accept IP source route packets (we're not a router) "net.ipv4.conf.all.accept_source_route" = 0; "net.ipv6.conf.all.accept_source_route" = 0; # Don't send ICMP redirects (again, we're on a router) "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0; # Refuse ICMP redirects (MITM mitigations) "net.ipv4.conf.all.accept_redirects" = 0; "net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.all.secure_redirects" = 0; "net.ipv4.conf.default.secure_redirects" = 0; "net.ipv6.conf.all.accept_redirects" = 0; "net.ipv6.conf.default.accept_redirects" = 0; # Protects against SYN flood attacks "net.ipv4.tcp_syncookies" = 1; # Incomplete protection again TIME-WAIT assassination "net.ipv4.tcp_rfc1337" = 1; ## TCP optimization # TCP Fast Open is a TCP extension that reduces network latency by packing # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for # both incoming and outgoing connections: "net.ipv4.tcp_fastopen" = 3; # Bufferbloat mitigations + slight improvement in throughput & latency "net.ipv4.tcp_congestion_control" = "bbr"; "net.core.default_qdisc" = "cake"; }; boot.kernelModules = ["tcp_bbr"]; services.openssh.settings.LogLevel = "VERBOSE"; security.acme = { acceptTerms = true; defaults.email = "github@notohh.dev"; }; services.fail2ban = { enable = true; bantime = "1h"; maxretry = 1; ignoreIP = [ "192.168.0.0/16" "172.16.0.0/12" "10.0.0.0/8" "5.161.102.107/32" "100.71.49.65/10" "100.82.146.40/10" ]; jails = { DEFAULT = { settings = { findtime = 100000; mode = "aggressive"; }; }; }; }; }