Compare commits
7 Commits
5d3bbe99f3
...
feature/se
| Author | SHA1 | Date | |
|---|---|---|---|
| bcebf18676 | |||
| 0370d784a0 | |||
| 260b2d2756 | |||
| 2477acdfc7 | |||
| 81c25d3f20 | |||
| 9b1f467db9 | |||
| 65fa778b2b |
@@ -5,6 +5,7 @@ This document outlines the development conventions for this NixOS-based infrastr
|
|||||||
## Build & Deployment
|
## Build & Deployment
|
||||||
|
|
||||||
- **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
|
- **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
|
||||||
|
- **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations.<hostname>.config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs.
|
||||||
- **Development Shell:** Activate the development environment with `nix develop`.
|
- **Development Shell:** Activate the development environment with `nix develop`.
|
||||||
|
|
||||||
## Linting & Formatting
|
## Linting & Formatting
|
||||||
|
|||||||
@@ -314,9 +314,9 @@
|
|||||||
|
|
||||||
# Firewall - default deny, explicit allow
|
# Firewall - default deny, explicit allow
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
|
# Enable firewall with default deny policy (NixOS firewall denies all by default)
|
||||||
enable = true;
|
enable = true;
|
||||||
allowPing = true;
|
allowPing = true;
|
||||||
defaultAllow = false;
|
|
||||||
|
|
||||||
# Only essential ports exposed to internet
|
# Only essential ports exposed to internet
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [
|
||||||
@@ -356,54 +356,74 @@
|
|||||||
# Fail2ban - automatic IP banning
|
# Fail2ban - automatic IP banning
|
||||||
services.fail2ban = {
|
services.fail2ban = {
|
||||||
enable = true;
|
enable = true;
|
||||||
maxRetry = 3;
|
maxretry = 3;
|
||||||
findtime = 600;
|
bantime = "1h";
|
||||||
bantime = 3600;
|
|
||||||
banaction = "iptables-multiport";
|
banaction = "iptables-multiport";
|
||||||
|
|
||||||
# Ban repeat offenders for 1 week
|
|
||||||
recidive = {
|
|
||||||
enabled = true;
|
|
||||||
filter = "recidive";
|
|
||||||
logpath = "/var/log/fail2ban.log";
|
|
||||||
bantime = 604800;
|
|
||||||
findtime = 86400;
|
|
||||||
maxretry = 3;
|
|
||||||
};
|
|
||||||
|
|
||||||
jails = {
|
jails = {
|
||||||
# SSH brute force protection
|
# SSH brute force protection (uses systemd journal backend)
|
||||||
sshd = {
|
sshd = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
filter = "sshd";
|
settings = {
|
||||||
port = "2424";
|
filter = "sshd";
|
||||||
logpath = "/var/log/auth.log";
|
port = "2424";
|
||||||
maxretry = 3;
|
maxretry = 3;
|
||||||
bantime = 3600;
|
bantime = "1h";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# HTTP authentication failures
|
# Recidive - ban repeat offenders for 1 week
|
||||||
|
recidive = {
|
||||||
|
enabled = true;
|
||||||
|
settings = {
|
||||||
|
filter = "recidive";
|
||||||
|
logpath = "/var/log/fail2ban.log";
|
||||||
|
bantime = "1w";
|
||||||
|
findtime = "1d";
|
||||||
|
maxretry = 3;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# HTTP authentication failures (Traefik)
|
||||||
http-auth = {
|
http-auth = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
filter = "apache-auth";
|
settings = {
|
||||||
port = "80,443";
|
filter = "traefik-auth";
|
||||||
logpath = "/var/log/traefik/access.log";
|
port = "80,443";
|
||||||
maxretry = 5;
|
logpath = "/var/log/traefik/access.log";
|
||||||
bantime = 3600;
|
maxretry = 5;
|
||||||
|
bantime = "1h";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# HTTP scanning/attacks
|
# HTTP scanning/attacks (Traefik)
|
||||||
http-botsearch = {
|
http-botsearch = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
filter = "apache-botsearch";
|
settings = {
|
||||||
port = "80,443";
|
filter = "traefik-botsearch";
|
||||||
logpath = [ "/var/log/traefik/access.log" ];
|
port = "80,443";
|
||||||
maxretry = 2;
|
logpath = "/var/log/traefik/access.log";
|
||||||
bantime = 7200;
|
maxretry = 2;
|
||||||
|
bantime = "2h";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Custom fail2ban filters for Traefik
|
||||||
|
environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
|
||||||
|
[Definition]
|
||||||
|
failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
|
||||||
|
ignoreregex =
|
||||||
|
'';
|
||||||
|
|
||||||
|
environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
|
||||||
|
[Definition]
|
||||||
|
failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
|
||||||
|
^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
|
||||||
|
ignoreregex =
|
||||||
|
'';
|
||||||
|
|
||||||
# SSH hardening
|
# SSH hardening
|
||||||
services.openssh.settings = {
|
services.openssh.settings = {
|
||||||
PermitRootLogin = "no";
|
PermitRootLogin = "no";
|
||||||
@@ -470,7 +490,7 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
# Audit logging
|
# Audit logging
|
||||||
services.auditd.enable = true;
|
security.auditd.enable = true;
|
||||||
|
|
||||||
# Fail2ban log directory
|
# Fail2ban log directory
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
|
|||||||
Reference in New Issue
Block a user