base: update SSH security · koi.rip/dotfiles@6ac970a

koi.rip / dotfiles

fork atom

my nixos dotfiles :3 (git.koi.rip mirror) git.koi.rip/koi/dotfiles

linux dotfiles neovim nixos catppuccin

fork atom

base: update SSH security

koi.rip 2 months ago 6ac970af db25b76a

+1 -5

2 changed files

expand all

unified split

modules

base

networking.nix

services

openssh.nix

-5

modules/base/networking.nix

··· 42 42 for ip in "''${v6blocklist[@]}"; do 43 43 ensure_rule6 -s "$ip" -j DROP 44 44 done 45 - 46 - ensure_rule -p tcp --dport 22 -m conntrack --ctstate NEW \ 47 - -m recent --name SSH --rsource --update --seconds 120 --hitcount 10 -j DROP 48 - ensure_rule -p tcp --dport 22 -m conntrack --ctstate NEW \ 49 - -m recent --name SSH --rsource --set 50 45 ''; 51 46 }; 52 47 };

modules/base/services/openssh.nix

··· 3 3 enable = true; 4 4 openFirewall = true; 5 5 settings = { 6 + LogLevel = "ERROR"; # haxerz OUT 6 7 PubkeyAuthentication = true; 7 8 PasswordAuthentication = false; 8 9 KbdInteractiveAuthentication = false;