Securing jeevesjr (#39)
* secured openssh * removing MaxSessions * setup endlessh * set openssh logging to VERBOSE * fix * got MaxSessions working * set ClientAliveCountMax * setup usbguard * updated central openssh settings * added sysstat service * add auditd * testing lynis setting * fixed typo * setup login.defs * removed login.defs * updated ChallengeResponseAuthentication to no * made LogLevel a Default Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com> --------- Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com>
This commit is contained in:
Richie Cahill
GitHub
parent
fb4039022d
commit
5af2c60bdb
@ -53,15 +53,21 @@
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# all of these setting are recommended by lynis unless otherwise commented
|
||||||
settings = {
|
settings = {
|
||||||
ClientAliveCountMax = 10;
|
AllowAgentForwarding = "no";
|
||||||
|
AllowTcpForwarding = "no";
|
||||||
|
ChallengeResponseAuthentication = "no";
|
||||||
|
ClientAliveCountMax = lib.mkDefault 2;
|
||||||
Compression = "NO";
|
Compression = "NO";
|
||||||
IgnoreRhosts = "yes";
|
IgnoreRhosts = "yes";
|
||||||
|
LogLevel = lib.mkDefault "VERBOSE";
|
||||||
MaxAuthTries = 3;
|
MaxAuthTries = 3;
|
||||||
MaxSessions = 10;
|
MaxSessions = lib.mkDefault 2;
|
||||||
PasswordAuthentication = false;
|
PasswordAuthentication = false;
|
||||||
PermitEmptyPasswords = "no";
|
PermitEmptyPasswords = "no";
|
||||||
PermitRootLogin = "no";
|
PermitRootLogin = "no";
|
||||||
|
TcpKeepAlive = "no";
|
||||||
|
|
||||||
KexAlgorithms = [
|
KexAlgorithms = [
|
||||||
"curve25519-sha256@libssh.org"
|
"curve25519-sha256@libssh.org"
|
||||||
|
|||||||
@ -33,17 +33,55 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment = {
|
||||||
docker-compose
|
systemPackages = with pkgs; [
|
||||||
];
|
docker-compose
|
||||||
|
];
|
||||||
|
|
||||||
|
etc = {
|
||||||
|
# Creates /etc/lynis/custom.prf
|
||||||
|
"lynis/custom.prf" = {
|
||||||
|
text = ''
|
||||||
|
skip-test=BANN-7126
|
||||||
|
skip-test=BANN-7130
|
||||||
|
skip-test=DEB-0520
|
||||||
|
skip-test=DEB-0810
|
||||||
|
skip-test=FIRE-4513
|
||||||
|
skip-test=HRDN-7222
|
||||||
|
skip-test=KRNL-5820
|
||||||
|
skip-test=LOGG-2190
|
||||||
|
skip-test=LYNIS
|
||||||
|
skip-test=TOOL-5002
|
||||||
|
'';
|
||||||
|
mode = "0440";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
security.auditd.enable = true;
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
nfs.server.enable = true;
|
nfs.server.enable = true;
|
||||||
|
|
||||||
|
endlessh-go = {
|
||||||
|
enable = true;
|
||||||
|
port = 22;
|
||||||
|
};
|
||||||
|
|
||||||
openssh.ports = [ 352 ];
|
openssh.ports = [ 352 ];
|
||||||
|
|
||||||
smartd.enable = true;
|
smartd.enable = true;
|
||||||
|
|
||||||
|
sysstat.enable = true;
|
||||||
|
|
||||||
|
usbguard = {
|
||||||
|
enable = true;
|
||||||
|
rules = ''
|
||||||
|
allow id 1532:0241
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
zfs = {
|
zfs = {
|
||||||
trim.enable = true;
|
trim.enable = true;
|
||||||
autoScrub.enable = true;
|
autoScrub.enable = true;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user