From a69684e126c50ac8b4bf61d8c5e7bfd8adac4c7e Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Wed, 15 Jan 2025 11:01:27 +0100
Subject: [PATCH] ssh hardening

---
 flake.lock                    | 18 +++++-----
 hardening/systemd/default.nix |  1 +
 hardening/systemd/sshd.nix    | 62 +++++++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 9 deletions(-)
 create mode 100644 hardening/systemd/sshd.nix

diff --git a/flake.lock b/flake.lock
index b6aa7d8..19461fe 100644
--- a/flake.lock
+++ b/flake.lock
@@ -31,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734540176,
-        "narHash": "sha256-msxbnOw/nh8GJ87YtBEDT1jhVldOBtxHRF2KgvYPeDA=",
+        "lastModified": 1736877444,
+        "narHash": "sha256-K25atZ9alRsGb6TW+rRcpJTbtP5tnb3qusd762B2qWw=",
         "owner": "ezKEa",
         "repo": "aagl-gtk-on-nix",
-        "rev": "00df3ad02364a6fb8f1105dc72ae770b748c62eb",
+        "rev": "a1f0ce3bfbe9f0cc81e8b7def5e652a021e95c98",
         "type": "github"
       },
       "original": {
@@ -140,11 +140,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736774329,
-        "narHash": "sha256-GP39XWhiD6bKidoOTfq+82VpFMxG6AcNV4ynKoFWpMU=",
+        "lastModified": 1736848948,
+        "narHash": "sha256-P9XZoUzRxjq5AJxR1+F0HEyzggNX/zt+A3cuwXER4qM=",
         "owner": "chaotic-cx",
         "repo": "nyx",
-        "rev": "705c09ade97041ccc9d04282498af7983874fe19",
+        "rev": "e75f332c423ae95164ec188c0406c2d47b8a4a65",
         "type": "github"
       },
       "original": {
@@ -507,11 +507,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1736701207,
-        "narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=",
+        "lastModified": 1736798957,
+        "narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6",
+        "rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
         "type": "github"
       },
       "original": {
diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix
index b6593eb..7f20815 100644
--- a/hardening/systemd/default.nix
+++ b/hardening/systemd/default.nix
@@ -24,6 +24,7 @@ in
     ./nix-daemon.nix
     ./nscd.nix
     ./rtkit.nix
+    ./sshd.nix
 
     ./global
   ];
diff --git a/hardening/systemd/sshd.nix b/hardening/systemd/sshd.nix
new file mode 100644
index 0000000..ce3d2e9
--- /dev/null
+++ b/hardening/systemd/sshd.nix
@@ -0,0 +1,62 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  config.systemd.services = {
+    sshd.serviceConfig = {
+      MemoryDenyWriteExecute = true;
+      SystemCallArchitectures = "native";
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = [
+        "~pid"
+        "~user"
+        "~net"
+        "~uts"
+        "~mnt"
+        "~cgroup"
+        "~ipc"
+      ];
+      SystemCallFilter = [
+        "@system-service"
+        "@privileged"
+      ];
+
+      LockPersonality = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      PrivateMounts = true;
+      ProtectProc = "invisible";
+      ProtectClock = true;
+      ProtectHostname = true;
+
+      # file system
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ReadWritePaths = "/etc/ssh";
+      RestrictRealtime = true;
+      DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
+
+      CapabilityBoundingSet = [
+        "CAP_NET_BIND_SERVICE"
+        "CAP_SETGID"
+        "CAP_SETUID"
+        "CAP_SYS_CHROOT"
+        "cap_dac_override"
+      ];
+
+      ProtectKernelLogs = true;
+      ProtectKernelTunables = true;
+      PrivateUsers = false; # important
+      ProtectHome = false; # important
+      NoNewPrivileges = false; # IMPORTANT: allow new privileges for spawned shells
+      PrivateNetwork = false; # important
+    };
+  };
+}