From 5e693d0837bd4a02e60979f76ec4196bc6e32614 Mon Sep 17 00:00:00 2001
From: MDLeom <2809763-curben@users.noreply.gitlab.com>
Date: Mon, 23 Mar 2020 02:18:22 +0000
Subject: [PATCH] post(caddy-nixos-2): add networking stack hardening

---
 source/_posts/caddy-nixos-part-2.md | 45 +++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/source/_posts/caddy-nixos-part-2.md b/source/_posts/caddy-nixos-part-2.md
index 7b4f779..52c88c1 100644
--- a/source/_posts/caddy-nixos-part-2.md
+++ b/source/_posts/caddy-nixos-part-2.md
@@ -248,7 +248,7 @@ I use USBGuard utility to allow or deny USB devices. In a virtual server environ
 
 Then, I just simply enable the service:
 
-```
+``` js
   services.usbguard = {
     enable = true;
     ruleFile = "/var/lib/usbguard/rules.conf";
@@ -257,4 +257,45 @@ Then, I just simply enable the service:
 
 Once enabled, any device not whitelisted in the policy will not be accessible.
 
-Above configurations show how I harden the installation. In the next part, I show how to configure Caddy as a reverse proxy and how to set up a Tor hidden (.onion) service.
+## Networking stack hardening and performance
+
+Based on [Ubuntu Wiki](https://wiki.ubuntu.com/ImprovedNetworking/KernelSecuritySettings) and [ArchWiki](https://wiki.archlinux.org/index.php/sysctl).
+
+```
+  ## Enable BBR module
+  boot.kernelModules = [ "tcp_bbr" ];
+
+  ## Network hardening and performance
+  boot.kernel.sysctl = {
+    # Ignore ICMP broadcasts to avoid participating in Smurf attacks
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+    # Ignore bad ICMP errors
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+    # Reverse-path filter for spoof protection
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # SYN flood protection
+    "net.ipv4.tcp_syncookies" = 1;
+    # Do not accept ICMP redirects (prevent MITM attacks)
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    # Do not send ICMP redirects (we are not a router)
+    "net.ipv4.conf.all.send_redirects" = 0;
+    # Do not accept IP source route packets (we are not a router)
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    # Protect against tcp time-wait assassination hazards
+    "net.ipv4.tcp_rfc1337" = 1;
+    # Latency reduction
+    "net.ipv4.tcp_fastopen" = 3;
+    ## Bufferbloat mitigations
+    # Requires >= 4.9 & kernel module
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    # Requires >= 4.19
+    "net.core.default_qdisc" = "cake";
+  };
+```