From 59357479023ea40fbf0cd0374c244581a9a2cf00 Mon Sep 17 00:00:00 2001
From: Robert <robert@lazyworkhorse.net>
Date: Mon, 4 May 2026 23:20:57 -0400
Subject: [PATCH] Security fixes

---
 hosts/lazyworkhorse/configuration.nix | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index a74ec09..13a6ad2 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -342,9 +342,12 @@
     
     # Rate limiting and attack prevention
     extraCommands = ''
-      # Rate limit SSH connections (max 4 new connections per 60 seconds)
+      # 1. Wipe the INPUT chain clean at the start of every activation
+      iptables -F INPUT
+      
+      # Rate limit SSH connections (max 20 new connections per 60 seconds)
       iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --set
-      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
+      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
       
       # Rate limit HTTP/HTTPS (protects Traefik)
       iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
@@ -355,6 +358,10 @@
       
       # Log dropped packets (rate limited)
       iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
+
+      # 3. CRITICAL: Re-link the NixOS default firewall chain
+      # Without this line, the 'allowedTCPPorts' in your Nix config will be ignored!
+      iptables -A INPUT -j nixos-fw
     '';
   };
 
@@ -433,7 +440,7 @@
   services.openssh.settings = {
     PermitRootLogin = "no";
     MaxAuthTries = 3;
-    MaxSessions = 5;
+    MaxSessions = 10;
     LoginGraceTime = 30;
     ClientAliveInterval = 300;
     ClientAliveCountMax = 2;