wildfire: 324 current 2025-06-24 18:09:13 25.05.20250620.b2485d5 6.15.3 *

SSH, fail2ban, aliases
2025-06-24 18:09:35 +02:00
parent be9e1666a8
commit 2d7fe550ff
3 changed files with 107 additions and 17 deletions
--- a/modules/common.nix
+++ b/modules/common.nix
@ -40,6 +40,7 @@
      ./home/vim.nix # Vim config
      ./home/hyprsunset.nix # Hyprsunset night mode
      ./home/btop.nix # Btop config
+      ./home/ssh.nix # SSH config
    ];
  };

@ -80,13 +81,6 @@
    firewall.enable = true;
  };

-  # ================================
-  # SECURITY HARDENING
-  # ================================
-  # Disable core dumps to prevent potential security exploits
-  # and improve system performance during crashes
-  systemd.coredump.enable = false;
-
  # ================================
  # LOCALIZATION
  # ================================
@ -141,7 +135,7 @@
  };

  # ================================
-  # SECURITY & PERMISSIONS
+  # PERMISSIONS
  # ================================
  # Enable real-time scheduling for audio applications (low-latency audio)
  security.rtkit.enable = true;
@ -198,8 +192,27 @@
  };

  # ================================
-  # SANDBOXED APPLICATIONS
+  # SECURITY HARDENING
  # ================================
+  # Enable fail2ban for brute force protection
+  services.fail2ban = {
+    enable = true;
+    # Ban IP after 3 failures
+    maxretry = 3;
+    bantime = "1h"; # Ban IPs for one hour on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+  };
+
+  # Disable core dumps to prevent potential security exploits
+  # and improve system performance during crashes
+  systemd.coredump.enable = false;
+
+  # SANDBOXED APPLICATIONS
  # Enable Firejail for application sandboxing (security)
  programs.firejail = {
    enable = true;
@ -237,9 +250,7 @@
    '';
  };

-  # ================================
  # HARDWARE SECURITY (YUBIKEY)
-  # ================================
  # Enable Yubikey support for SSH and GPG
  services.yubikey-agent.enable = true;
  # Enable U2F authentication for login
--- a/modules/home/ssh.nix
+++ b/modules/home/ssh.nix
@ -0,0 +1,79 @@
+{
+  programs.ssh = {
+    enable = true;
+    serverAliveInterval = 60;
+    serverAliveCountMax = 2;
+
+    matchBlocks = {
+      "d10.csb.brainmill.com" = {
+        forwardAgent = true;
+        port = 22;
+      };
+      "prod-admin-jump1.infra.csbnet.se" = {
+        forwardAgent = true;
+        port = 22;
+      };
+      "prod-jump-got1.infra.brainmill.com" = {
+        forwardAgent = true;
+        port = 22;
+      };
+      "sw-fys-kt11-serv1.net.chsfg.se" = {
+        hostname = "10.2.13.10";
+      };
+      "sw-fys-kt11-kansli1.net.chsfg.se" = {
+        hostname = "10.2.13.11";
+      };
+      "sw-fys-kt11-kansli2.net.chsfg.se" = {
+        hostname = "10.2.13.12";
+      };
+      "sw-fys-kt11-reception1.net.chsfg.se" = {
+        hostname = "10.2.13.13";
+      };
+      "sw-fys-kt11-reception2.net.chsfg.se" = {
+        hostname = "10.2.13.14";
+      };
+      "sw-fys-gg39-kom.net.chsfg.se" = {
+        hostname = "10.1.13.10";
+      };
+      "sw-fys-gg39-skap.net.chsfg.se" = {
+        hostname = "10.1.13.11";
+      };
+      "sw-fys-ev1.net.chsfg.se" = {
+        hostname = "10.62.13.10";
+      };
+      "192.168.10.20" = {
+        hostname = "192.168.10.20";
+        user = "manager";
+      };
+      "192.168.10.50" = {
+        hostname = "192.168.10.50";
+      };
+      "gw1.net.chsfg.se" = {
+        forwardAgent = true;
+        hostname = "2a02:9a0:fffe:4::3";
+      };
+      "gw2.net.chsfg.se" = {
+        forwardAgent = true;
+        hostname = "2a02:9a0:fffe:4::5";
+      };
+      "cv11-stor-gw.net.chsfg.se" = {
+        proxyCommand = "ssh prod-admin-jump1.infra.csbnet.se /bin/nc %h 22";
+        hostname = "176.10.244.136";
+        user = "root";
+        port = 8822;
+      };
+      "tp2-core1.net.chsfg.se" = {
+        hostname = "192.168.10.52";
+        user = "nvg";
+      };
+      "gw-shg9d-ctk.net.chsfg.se" = {
+        hostname = "83.218.70.146";
+        user = "admin";
+      };
+      "lp5-core1.net.chsfg.se" = {
+        hostname = "192.168.10.51";
+        user = "nvg";
+      };
+    };
+  };
+}
--- a/modules/programs.nix
+++ b/modules/programs.nix
@ -108,12 +108,12 @@ in {
        "....." = "cd ../../../../";

        # Work aliases
-        "csb_jump" = "ssh -A prod-admin-jump1.infra.csbnet.se";
-        "csb_proxmox" = "ssh -A -L1337:172.18.200.21:8006 prod-admin-jump1.infra.csbnet.se";
-        "csb_ups1" = "ssh -A -L1338:172.18.79.1:80 prod-admin-jump1.infra.csbnet.se";
-        "csb_ups2" = "ssh -A -L1339:172.18.79.3:80 prod-admin-jump1.infra.csbnet.se";
-        "neanet_jump" = "ssh -A prod-jump-got1.infra.brainmill.com";
-        "neanet_proxmox" = "ssh -A -L1338:[2a09:2681:ffff:13::104]:8006 prod-jump-got1.infra.brainmill.com";
+        "jumpc" = "ssh prod-admin-jump1.infra.csbnet.se";
+        "proxc" = "ssh -L1337:172.18.200.21:8006 prod-admin-jump1.infra.csbnet.se";
+        "jumpn" = "ssh prod-jump-got1.infra.brainmill.com";
+        "proxmoxn" = "ssh -L1338:[2a09:2681:ffff:13::104]:8006 prod-jump-got1.infra.brainmill.com";
+        "ups1c" = "ssh -L1339:172.18.79.1:80 prod-admin-jump1.infra.csbnet.se";
+        "ups2c" = "ssh -L1340:172.18.79.3:80 prod-admin-jump1.infra.csbnet.se";
      };
      shellAbbrs = {
        "cp" = "cp -v";