wildfire: 324 current 2025-06-24 18:09:13 25.05.20250620.b2485d5 6.15.3 *

SSH, fail2ban, aliases
This commit is contained in:
2025-06-24 18:09:35 +02:00
parent be9e1666a8
commit 2d7fe550ff
3 changed files with 107 additions and 17 deletions

View File

@ -40,6 +40,7 @@
./home/vim.nix # Vim config
./home/hyprsunset.nix # Hyprsunset night mode
./home/btop.nix # Btop config
./home/ssh.nix # SSH config
];
};
@ -80,13 +81,6 @@
firewall.enable = true;
};
# ================================
# SECURITY HARDENING
# ================================
# Disable core dumps to prevent potential security exploits
# and improve system performance during crashes
systemd.coredump.enable = false;
# ================================
# LOCALIZATION
# ================================
@ -141,7 +135,7 @@
};
# ================================
# SECURITY & PERMISSIONS
# PERMISSIONS
# ================================
# Enable real-time scheduling for audio applications (low-latency audio)
security.rtkit.enable = true;
@ -198,8 +192,27 @@
};
# ================================
# SANDBOXED APPLICATIONS
# SECURITY HARDENING
# ================================
# Enable fail2ban for brute force protection
services.fail2ban = {
enable = true;
# Ban IP after 3 failures
maxretry = 3;
bantime = "1h"; # Ban IPs for one hour on the first ban
bantime-increment = {
enable = true; # Enable increment of bantime after each violation
multipliers = "1 2 4 8 16 32 64";
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations
};
};
# Disable core dumps to prevent potential security exploits
# and improve system performance during crashes
systemd.coredump.enable = false;
# SANDBOXED APPLICATIONS
# Enable Firejail for application sandboxing (security)
programs.firejail = {
enable = true;
@ -237,9 +250,7 @@
'';
};
# ================================
# HARDWARE SECURITY (YUBIKEY)
# ================================
# Enable Yubikey support for SSH and GPG
services.yubikey-agent.enable = true;
# Enable U2F authentication for login

79
modules/home/ssh.nix Normal file
View File

@ -0,0 +1,79 @@
{
programs.ssh = {
enable = true;
serverAliveInterval = 60;
serverAliveCountMax = 2;
matchBlocks = {
"d10.csb.brainmill.com" = {
forwardAgent = true;
port = 22;
};
"prod-admin-jump1.infra.csbnet.se" = {
forwardAgent = true;
port = 22;
};
"prod-jump-got1.infra.brainmill.com" = {
forwardAgent = true;
port = 22;
};
"sw-fys-kt11-serv1.net.chsfg.se" = {
hostname = "10.2.13.10";
};
"sw-fys-kt11-kansli1.net.chsfg.se" = {
hostname = "10.2.13.11";
};
"sw-fys-kt11-kansli2.net.chsfg.se" = {
hostname = "10.2.13.12";
};
"sw-fys-kt11-reception1.net.chsfg.se" = {
hostname = "10.2.13.13";
};
"sw-fys-kt11-reception2.net.chsfg.se" = {
hostname = "10.2.13.14";
};
"sw-fys-gg39-kom.net.chsfg.se" = {
hostname = "10.1.13.10";
};
"sw-fys-gg39-skap.net.chsfg.se" = {
hostname = "10.1.13.11";
};
"sw-fys-ev1.net.chsfg.se" = {
hostname = "10.62.13.10";
};
"192.168.10.20" = {
hostname = "192.168.10.20";
user = "manager";
};
"192.168.10.50" = {
hostname = "192.168.10.50";
};
"gw1.net.chsfg.se" = {
forwardAgent = true;
hostname = "2a02:9a0:fffe:4::3";
};
"gw2.net.chsfg.se" = {
forwardAgent = true;
hostname = "2a02:9a0:fffe:4::5";
};
"cv11-stor-gw.net.chsfg.se" = {
proxyCommand = "ssh prod-admin-jump1.infra.csbnet.se /bin/nc %h 22";
hostname = "176.10.244.136";
user = "root";
port = 8822;
};
"tp2-core1.net.chsfg.se" = {
hostname = "192.168.10.52";
user = "nvg";
};
"gw-shg9d-ctk.net.chsfg.se" = {
hostname = "83.218.70.146";
user = "admin";
};
"lp5-core1.net.chsfg.se" = {
hostname = "192.168.10.51";
user = "nvg";
};
};
};
}

View File

@ -108,12 +108,12 @@ in {
"....." = "cd ../../../../";
# Work aliases
"csb_jump" = "ssh -A prod-admin-jump1.infra.csbnet.se";
"csb_proxmox" = "ssh -A -L1337:172.18.200.21:8006 prod-admin-jump1.infra.csbnet.se";
"csb_ups1" = "ssh -A -L1338:172.18.79.1:80 prod-admin-jump1.infra.csbnet.se";
"csb_ups2" = "ssh -A -L1339:172.18.79.3:80 prod-admin-jump1.infra.csbnet.se";
"neanet_jump" = "ssh -A prod-jump-got1.infra.brainmill.com";
"neanet_proxmox" = "ssh -A -L1338:[2a09:2681:ffff:13::104]:8006 prod-jump-got1.infra.brainmill.com";
"jumpc" = "ssh prod-admin-jump1.infra.csbnet.se";
"proxc" = "ssh -L1337:172.18.200.21:8006 prod-admin-jump1.infra.csbnet.se";
"jumpn" = "ssh prod-jump-got1.infra.brainmill.com";
"proxmoxn" = "ssh -L1338:[2a09:2681:ffff:13::104]:8006 prod-jump-got1.infra.brainmill.com";
"ups1c" = "ssh -L1339:172.18.79.1:80 prod-admin-jump1.infra.csbnet.se";
"ups2c" = "ssh -L1340:172.18.79.3:80 prod-admin-jump1.infra.csbnet.se";
};
shellAbbrs = {
"cp" = "cp -v";