hektor
/
nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Only open SSH port when SSH is enabled

main
Hektor Misplon 2025-11-16 16:02:35 +01:00
parent 27c5ec21a4
commit 59575b2ff9
3 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/astyanax/configuration.nix
View File

@ -46,7 +46,6 @@
}; };
networking.hostId = "80eef97e"; networking.hostId = "80eef97e";
networking.firewall.allowedTCPPorts = [ 22 ];
services.openssh = { services.openssh = {
enable = true; enable = true;
harden = true; harden = true;

1
hosts/vm/configuration.nix
View File

@ -66,7 +66,6 @@
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
services.spice-vdagentd.enable = true; services.spice-vdagentd.enable = true;
networking.firewall.allowedTCPPorts = [ 22 ];
services.openssh = { services.openssh = {
enable = true; enable = true;
harden = true; harden = true;

23
modules/ssh/hardened-openssh.nix
View File

@ -5,15 +5,18 @@ let
in in
{ {
options.services.openssh.harden = mkEnableOption "harden ssh server configuration"; options.services.openssh.harden = mkEnableOption "harden ssh server configuration";
config.services.openssh.settings = optionalAttrs cfg.harden { config = {
PermitRootLogin = "no"; networking.firewall.allowedTCPPorts = [ 22 ];
PasswordAuthentication = false; services.openssh.settings = optionalAttrs cfg.harden {
ChallengeResponseAuthentication = false; PermitRootLogin = "no";
X11Forwarding = false; PasswordAuthentication = false;
AllowAgentForwarding = false; ChallengeResponseAuthentication = false;
AllowTcpForwarding = false; X11Forwarding = false;
PermitTunnel = false; AllowAgentForwarding = false;
MaxAuthTries = 3; AllowTcpForwarding = false;
LoginGraceTime = "1m"; PermitTunnel = false;
MaxAuthTries = 3;
LoginGraceTime = "1m";
};
}; };
} }