curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

post(caddy-nixos-2): add networking stack hardening

This commit is contained in:
MDLeom 2020-03-23 02:18:22 +00:00
parent 5debe1419d
commit 5e693d0837
No known key found for this signature in database
GPG Key ID: 5D9DB57A25D34EE3
1 changed files with 43 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
source/_posts/caddy-nixos-part-2.md
View File

@ -248,7 +248,7 @@ I use USBGuard utility to allow or deny USB devices. In a virtual server environ
Then, I just simply enable the service: Then, I just simply enable the service:
``` ``` js
services.usbguard = { services.usbguard = {
enable = true; enable = true;
ruleFile = "/var/lib/usbguard/rules.conf"; ruleFile = "/var/lib/usbguard/rules.conf";
@ -257,4 +257,45 @@ Then, I just simply enable the service:
Once enabled, any device not whitelisted in the policy will not be accessible. Once enabled, any device not whitelisted in the policy will not be accessible.
Above configurations show how I harden the installation. In the next part, I show how to configure Caddy as a reverse proxy and how to set up a Tor hidden (.onion) service. ## Networking stack hardening and performance
Based on [Ubuntu Wiki](https://wiki.ubuntu.com/ImprovedNetworking/KernelSecuritySettings) and [ArchWiki](https://wiki.archlinux.org/index.php/sysctl).
```
## Enable BBR module
boot.kernelModules = [ "tcp_bbr" ];
## Network hardening and performance
boot.kernel.sysctl = {
# Ignore ICMP broadcasts to avoid participating in Smurf attacks
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
# Ignore bad ICMP errors
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse-path filter for spoof protection
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# SYN flood protection
"net.ipv4.tcp_syncookies" = 1;
# Do not accept ICMP redirects (prevent MITM attacks)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Do not send ICMP redirects (we are not a router)
"net.ipv4.conf.all.send_redirects" = 0;
# Do not accept IP source route packets (we are not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Protect against tcp time-wait assassination hazards
"net.ipv4.tcp_rfc1337" = 1;
# Latency reduction
"net.ipv4.tcp_fastopen" = 3;
## Bufferbloat mitigations
# Requires >= 4.9 & kernel module
"net.ipv4.tcp_congestion_control" = "bbr";
# Requires >= 4.19
"net.core.default_qdisc" = "cake";
};
```