ssh hardening

2025-01-15 11:01:27 +01:00 · 2025-01-15 11:01:27 +01:00 · a69684e126
commit a69684e126
parent 066bacfce8
3 changed files with 72 additions and 9 deletions
--- a/flake.lock
+++ b/flake.lock
@ -31,11 +31,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734540176,
-        "narHash": "sha256-msxbnOw/nh8GJ87YtBEDT1jhVldOBtxHRF2KgvYPeDA=",
+        "lastModified": 1736877444,
+        "narHash": "sha256-K25atZ9alRsGb6TW+rRcpJTbtP5tnb3qusd762B2qWw=",
        "owner": "ezKEa",
        "repo": "aagl-gtk-on-nix",
-        "rev": "00df3ad02364a6fb8f1105dc72ae770b748c62eb",
+        "rev": "a1f0ce3bfbe9f0cc81e8b7def5e652a021e95c98",
        "type": "github"
      },
      "original": {
@ -140,11 +140,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736774329,
-        "narHash": "sha256-GP39XWhiD6bKidoOTfq+82VpFMxG6AcNV4ynKoFWpMU=",
+        "lastModified": 1736848948,
+        "narHash": "sha256-P9XZoUzRxjq5AJxR1+F0HEyzggNX/zt+A3cuwXER4qM=",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "705c09ade97041ccc9d04282498af7983874fe19",
+        "rev": "e75f332c423ae95164ec188c0406c2d47b8a4a65",
        "type": "github"
      },
      "original": {
@ -507,11 +507,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1736701207,
-        "narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=",
+        "lastModified": 1736798957,
+        "narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6",
+        "rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
        "type": "github"
      },
      "original": {
--- a/hardening/systemd/default.nix
+++ b/hardening/systemd/default.nix
@ -24,6 +24,7 @@ in
    ./nix-daemon.nix
    ./nscd.nix
    ./rtkit.nix
+    ./sshd.nix

    ./global
  ];
--- a/hardening/systemd/sshd.nix
+++ b/hardening/systemd/sshd.nix
@ -0,0 +1,62 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  config.systemd.services = {
+    sshd.serviceConfig = {
+      MemoryDenyWriteExecute = true;
+      SystemCallArchitectures = "native";
+      RestrictSUIDSGID = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = [
+        "~pid"
+        "~user"
+        "~net"
+        "~uts"
+        "~mnt"
+        "~cgroup"
+        "~ipc"
+      ];
+      SystemCallFilter = [
+        "@system-service"
+        "@privileged"
+      ];
+
+      LockPersonality = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      PrivateMounts = true;
+      ProtectProc = "invisible";
+      ProtectClock = true;
+      ProtectHostname = true;
+
+      # file system
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ReadWritePaths = "/etc/ssh";
+      RestrictRealtime = true;
+      DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
+
+      CapabilityBoundingSet = [
+        "CAP_NET_BIND_SERVICE"
+        "CAP_SETGID"
+        "CAP_SETUID"
+        "CAP_SYS_CHROOT"
+        "cap_dac_override"
+      ];
+
+      ProtectKernelLogs = true;
+      ProtectKernelTunables = true;
+      PrivateUsers = false; # important
+      ProtectHome = false; # important
+      NoNewPrivileges = false; # IMPORTANT: allow new privileges for spawned shells
+      PrivateNetwork = false; # important
+    };
+  };
+}