Securing jeevesjr (#39)

* secured openssh * removing MaxSessions * setup endlessh * set openssh logging to VERBOSE * fix * got MaxSessions working * set ClientAliveCountMax * setup usbguard * updated central openssh settings * added sysstat service * add auditd * testing lynis setting * fixed typo * setup login.defs * removed login.defs * updated ChallengeResponseAuthentication to no * made LogLevel a Default Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com> --------- Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com>
2024-01-13 22:20:01 -05:00
parent fb4039022d
commit 5af2c60bdb
2 changed files with 49 additions and 5 deletions
--- a/systems/configuration.nix
+++ b/systems/configuration.nix
@ -53,15 +53,21 @@
        }
      ];

+      # all of these setting are recommended by lynis unless otherwise commented
      settings = {
-        ClientAliveCountMax = 10;
+        AllowAgentForwarding = "no";
+        AllowTcpForwarding = "no";
+        ChallengeResponseAuthentication = "no";
+        ClientAliveCountMax = lib.mkDefault 2;
        Compression = "NO";
        IgnoreRhosts = "yes";
+        LogLevel = lib.mkDefault "VERBOSE";
        MaxAuthTries = 3;
-        MaxSessions = 10;
+        MaxSessions = lib.mkDefault 2;
        PasswordAuthentication = false;
        PermitEmptyPasswords = "no";
        PermitRootLogin = "no";
+        TcpKeepAlive = "no";

        KexAlgorithms = [
          "curve25519-sha256@libssh.org"