gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity

security: harden lazyworkhorse with firewall, fail2ban, SSH hardening #28

Merged
gortium merged 11 commits from feature/server-hardening-clean into master 2026-05-03 09:11:58 +00:00
Conversation 1 Commits 11 Files Changed 5 +331 -2
Hermes commented 2026-04-30 17:47:48 +00:00
Collaborator
Copy Link

Summary

Adds comprehensive server hardening for internet-facing NixOS host.

Changes

Firewall (default deny)

  • Only essential ports exposed: SSH (2424), Gitea (2222), HTTP/HTTPS (80/443)
  • Rate limiting: SSH (4 conn/min), HTTP/HTTPS (25/min)
  • Invalid packet dropping + logging

Fail2ban

  • SSH jail: 3 strikes → 1 hour ban
  • HTTP auth jail: 5 failures → 1 hour ban
  • Bot search jail: 2 hits → 2 hour ban
  • Recidive jail: repeat offenders → 1 week ban
  • Custom Traefik filters for HTTP jails

SSH Hardening

  • Root login disabled
  • Max 3 auth tries, 5 sessions
  • 30s login grace time
  • Verbose logging
  • X11/TCP/Agent forwarding disabled

Kernel Hardening

  • SYN flood protection
  • IP spoofing protection
  • Source routing disabled
  • ICMP redirects disabled

Dependencies

Merge compose PR first, then this one.

Deployment

# 1. Deploy compose changes first
cd ~/infra/assets/compose/network
docker compose up -d traefik

# 2. Deploy NixOS config
nh os switch .#lazyworkhorse

# 3. Verify hardening
/opt/data/scripts/security-audit.sh

Verification

# Check firewall
sudo iptables -L -n -v

# Check fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd
sudo fail2ban-client status http-auth
sudo fail2ban-client status http-botsearch

# Check SSH config
sudo sshd -T | grep -E "^(permitrootlogin|maxauthtries|loglevel)"

Related

  • Skill: nixos-server-hardening
  • Based on PR #27 reference implementation
## Summary Adds comprehensive server hardening for internet-facing NixOS host. ## Changes ### Firewall (default deny) - Only essential ports exposed: SSH (2424), Gitea (2222), HTTP/HTTPS (80/443) - Rate limiting: SSH (4 conn/min), HTTP/HTTPS (25/min) - Invalid packet dropping + logging ### Fail2ban - SSH jail: 3 strikes → 1 hour ban - HTTP auth jail: 5 failures → 1 hour ban - Bot search jail: 2 hits → 2 hour ban - Recidive jail: repeat offenders → 1 week ban - Custom Traefik filters for HTTP jails ### SSH Hardening - Root login disabled - Max 3 auth tries, 5 sessions - 30s login grace time - Verbose logging - X11/TCP/Agent forwarding disabled ### Kernel Hardening - SYN flood protection - IP spoofing protection - Source routing disabled - ICMP redirects disabled ## Dependencies - **Requires:** [compose PR #15](https://code.lazyworkhorse.net/gortium/compose/pulls/15) (Traefik access logs) Merge compose PR first, then this one. ## Deployment ```bash # 1. Deploy compose changes first cd ~/infra/assets/compose/network docker compose up -d traefik # 2. Deploy NixOS config nh os switch .#lazyworkhorse # 3. Verify hardening /opt/data/scripts/security-audit.sh ``` ## Verification ```bash # Check firewall sudo iptables -L -n -v # Check fail2ban sudo fail2ban-client status sudo fail2ban-client status sshd sudo fail2ban-client status http-auth sudo fail2ban-client status http-botsearch # Check SSH config sudo sshd -T | grep -E "^(permitrootlogin|maxauthtries|loglevel)" ``` ## Related - Skill: `nixos-server-hardening` - Based on PR #27 reference implementation
Hermes added 3 commits 2026-04-30 17:47:49 +00:00
security: harden lazyworkhorse with firewall, fail2ban, SSH hardening 7994aad8d8 
- Firewall (default deny):
  - Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
  - Rate limit SSH (max 4 new connections/60s)
  - Rate limit HTTP/HTTPS (25/minute)
  - Drop invalid packets, log dropped packets

- Fail2ban (auto-ban attackers):
  - SSH jail: 3 strikes = 1 hour ban
  - HTTP auth failures: 5 strikes = 1 hour ban
  - HTTP scanning: 2 strikes = 2 hour ban
  - Recidive jail: repeat offenders = 1 week ban

- SSH hardening:
  - No root login
  - Max 3 auth tries, 5 sessions
  - 30s login grace time
  - No X11/TCP/agent forwarding
  - Verbose logging

- Kernel network hardening:
  - SYN flood protection (syncookies)
  - IP spoofing protection (rp_filter)
  - Disable source routing, redirects
  - Log martian packets
  - Connection tuning for high load

- Audit logging enabled

Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)
security: add restricted sudo for ai-worker with security audit commands 21bd4bb283 
- Deployment: nh os switch, nixos-rebuild switch (flake path locked)
- Firewall checks: iptables -L, iptables -S
- Fail2ban: status, banned IPs
- Logs: journalctl for kernel and fail2ban
- SSH config: sshd -T for verification
- Docker: ps, inspect (service health)
- Network: ss -tlnp, /proc/net/tcp

All commands are whitelisted with NOPASSWD.
No shell access, no ALL command - principle of least privilege.
security: remove deployment commands from ai-worker sudo rules 3e04ccc1e8 
ai-worker only needs security audit commands, not deployment access.

Removed:
- nh os switch
- nixos-rebuild switch

Kept:
- Firewall checks (iptables)
- Fail2ban status
- Log inspection (journalctl)
- SSH config (sshd -T)
- Docker service checks
- Network diagnostics
Hermes commented 2026-04-30 18:37:40 +00:00
Author
Collaborator
Copy Link

Merge Priority

This PR is marked as PRIORITY #1 - must merge before other feature PRs to ensure all services are protected.

See merge plan: PR #29 - #29

After Merge

Verify with:

  • sudo iptables -L -n -v
  • sudo fail2ban-client status
## Merge Priority This PR is marked as **PRIORITY #1** - must merge before other feature PRs to ensure all services are protected. See merge plan: **PR #29** - https://code.lazyworkhorse.net/gortium/infra/pulls/29 ### After Merge Verify with: - sudo iptables -L -n -v - sudo fail2ban-client status
Hermes added 1 commit 2026-05-01 02:07:52 +00:00
fix: remove invalid networking.firewall.defaultAllow option - NixOS denies by default 6999d50f35
Hermes added 1 commit 2026-05-01 02:09:53 +00:00
fix: services.auditd -> security.audit (correct NixOS option path) 9291d83870
Hermes added 1 commit 2026-05-01 02:12:34 +00:00
fix: correct fail2ban options - use lower attr names, nested settings, proper types 8bdd0e352a
Hermes force-pushed feature/server-hardening-clean from 8bdd0e352a to 5d3bbe99f3 2026-05-01 03:34:06 +00:00 Compare
Hermes added 1 commit 2026-05-01 03:41:45 +00:00
fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails 65fa778b2b
Hermes added 1 commit 2026-05-01 03:53:04 +00:00
fix: remove invalid networking.firewall.defaultAllow option 9b1f467db9
Hermes added 1 commit 2026-05-01 03:55:13 +00:00
fix: use security.auditd instead of services.auditd 81c25d3f20
Hermes added 1 commit 2026-05-01 03:57:24 +00:00
fix: services.fail2ban top-level options - no findtime, maxretry lowercase 2477acdfc7
Hermes added 1 commit 2026-05-01 03:59:35 +00:00
fix: restructure fail2ban jails per NixOS module - recidive in jails, settings attr, str bantime 260b2d2756
Hermes added 1 commit 2026-05-01 04:02:09 +00:00
fix: http-botsearch logpath must be string, not list 0370d784a0
Hermes added 1 commit 2026-05-01 11:59:37 +00:00
fix: move filter into jail settings (NixOS submodule doesn't pass string filters) bcebf18676
gortium merged commit 4cceab05d0 into master 2026-05-03 09:11:58 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hermes gortium
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: gortium/infra#28
No description provided.
Delete Branch "feature/server-hardening-clean"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?