diff options
| author | Fuwn <[email protected]> | 2024-09-03 17:10:51 -0700 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2024-09-03 17:10:51 -0700 |
| commit | f45dc51a331a24f0c1f7fc08a5f1600cd1766e14 (patch) | |
| tree | 68dac2e7d31ea70c60d947ad0a744aa41902c8a1 | |
| parent | tings (diff) | |
| download | nixos-config-f45dc51a331a24f0c1f7fc08a5f1600cd1766e14.tar.xz nixos-config-f45dc51a331a24f0c1f7fc08a5f1600cd1766e14.zip | |
harden ssh
| -rw-r--r-- | modules/services/fail2ban.nix | 7 | ||||
| -rw-r--r-- | modules/services/openssh.nix | 4 |
2 files changed, 9 insertions, 2 deletions
diff --git a/modules/services/fail2ban.nix b/modules/services/fail2ban.nix index d768eb6..fa45565 100644 --- a/modules/services/fail2ban.nix +++ b/modules/services/fail2ban.nix @@ -1,3 +1,4 @@ +{ lib, config, ... }: { services.fail2ban = { enable = false; @@ -7,5 +8,11 @@ "172.16.0.0/12" "192.168.0.0/16" ]; + + jails.sshd.settings = { + enabled = true; + filter = "sshd[mode=aggressive]"; + port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports); + }; }; } diff --git a/modules/services/openssh.nix b/modules/services/openssh.nix index b970945..b16ca8a 100644 --- a/modules/services/openssh.nix +++ b/modules/services/openssh.nix @@ -5,8 +5,8 @@ openFirewall = true; settings = { - UseDns = false; - X11Forwarding = false; + PermitRootLogin = "no"; + MaxAuthTries = 3; KexAlgorithms = [ "curve25519-sha256" |