Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

ssh hardening

Browse source
This commit is contained in:
Grimmauld 2025-01-15 11:01:27 +01:00
parent 066bacfce8
commit a69684e126
No known key found for this signature in database
3 changed files with 72 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
flake.lock
View file

@ -31,11 +31,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1734540176, "lastModified": 1736877444,
"narHash": "sha256-msxbnOw/nh8GJ87YtBEDT1jhVldOBtxHRF2KgvYPeDA=", "narHash": "sha256-K25atZ9alRsGb6TW+rRcpJTbtP5tnb3qusd762B2qWw=",
"owner": "ezKEa", "owner": "ezKEa",
"repo": "aagl-gtk-on-nix", "repo": "aagl-gtk-on-nix",
"rev": "00df3ad02364a6fb8f1105dc72ae770b748c62eb", "rev": "a1f0ce3bfbe9f0cc81e8b7def5e652a021e95c98",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -140,11 +140,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736774329, "lastModified": 1736848948,
"narHash": "sha256-GP39XWhiD6bKidoOTfq+82VpFMxG6AcNV4ynKoFWpMU=", "narHash": "sha256-P9XZoUzRxjq5AJxR1+F0HEyzggNX/zt+A3cuwXER4qM=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "705c09ade97041ccc9d04282498af7983874fe19", "rev": "e75f332c423ae95164ec188c0406c2d47b8a4a65",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -507,11 +507,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1736701207, "lastModified": 1736798957,
"narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=", "narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6", "rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hardening/systemd/default.nix
View file

@ -24,6 +24,7 @@ in
./nix-daemon.nix ./nix-daemon.nix
./nscd.nix ./nscd.nix
./rtkit.nix ./rtkit.nix
./sshd.nix
./global ./global
]; ];

62
hardening/systemd/sshd.nix Normal file
View file

@ -0,0 +1,62 @@
{
lib,
config,
...
}:
{
config.systemd.services = {
sshd.serviceConfig = {
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@privileged"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
ProtectHostname = true;
# file system
PrivateTmp = true;
ProtectSystem = "strict";
ReadWritePaths = "/etc/ssh";
RestrictRealtime = true;
DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_CHROOT"
"cap_dac_override"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
PrivateUsers = false; # important
ProtectHome = false; # important
NoNewPrivileges = false; # IMPORTANT: allow new privileges for spawned shells
PrivateNetwork = false; # important
};
};
}