mirror of https://gitlab.com/curben/blog
post(caddy-nixos-2): add networking stack hardening
This commit is contained in:
parent
5debe1419d
commit
5e693d0837
|
@ -248,7 +248,7 @@ I use USBGuard utility to allow or deny USB devices. In a virtual server environ
|
|||
|
||||
Then, I just simply enable the service:
|
||||
|
||||
```
|
||||
``` js
|
||||
services.usbguard = {
|
||||
enable = true;
|
||||
ruleFile = "/var/lib/usbguard/rules.conf";
|
||||
|
@ -257,4 +257,45 @@ Then, I just simply enable the service:
|
|||
|
||||
Once enabled, any device not whitelisted in the policy will not be accessible.
|
||||
|
||||
Above configurations show how I harden the installation. In the next part, I show how to configure Caddy as a reverse proxy and how to set up a Tor hidden (.onion) service.
|
||||
## Networking stack hardening and performance
|
||||
|
||||
Based on [Ubuntu Wiki](https://wiki.ubuntu.com/ImprovedNetworking/KernelSecuritySettings) and [ArchWiki](https://wiki.archlinux.org/index.php/sysctl).
|
||||
|
||||
```
|
||||
## Enable BBR module
|
||||
boot.kernelModules = [ "tcp_bbr" ];
|
||||
|
||||
## Network hardening and performance
|
||||
boot.kernel.sysctl = {
|
||||
# Ignore ICMP broadcasts to avoid participating in Smurf attacks
|
||||
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
|
||||
# Ignore bad ICMP errors
|
||||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||||
# Reverse-path filter for spoof protection
|
||||
"net.ipv4.conf.default.rp_filter" = 1;
|
||||
"net.ipv4.conf.all.rp_filter" = 1;
|
||||
# SYN flood protection
|
||||
"net.ipv4.tcp_syncookies" = 1;
|
||||
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
# Do not accept IP source route packets (we are not a router)
|
||||
"net.ipv4.conf.all.accept_source_route" = 0;
|
||||
"net.ipv6.conf.all.accept_source_route" = 0;
|
||||
# Protect against tcp time-wait assassination hazards
|
||||
"net.ipv4.tcp_rfc1337" = 1;
|
||||
# Latency reduction
|
||||
"net.ipv4.tcp_fastopen" = 3;
|
||||
## Bufferbloat mitigations
|
||||
# Requires >= 4.9 & kernel module
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
# Requires >= 4.19
|
||||
"net.core.default_qdisc" = "cake";
|
||||
};
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue