formatting: new formatting'

common/nixos/ssh/default.nix

@@ -0,0 +1,7 @@
+{lib, ...}: {
+  imports = [./ssh.nix ./ssh_client.nix ./ssh_guard.nix];
+
+  ssh_client.enable = lib.mkDefault true;
+  ssh.enable = lib.mkDefault false;
+  ssh_guard.enable = lib.mkDefault false;
+}

common/nixos/ssh/ssh.nix

@@ -0,0 +1,103 @@
+{
+  config,
+  lib,
+  user,
+  ...
+}: {
+  options = {
+    ssh.enable = lib.mkEnableOption "enable ssh settings";
+  };
+  config = lib.mkIf config.ssh.enable {
+    # https://www.ssh-audit.com/hardening_guides.html
+    # https://github.com/jtesta/ssh-audit
+    services.openssh = {
+      enable = true;
+      settings = {
+        ########## Features ##########
+
+        # disallow ssh-agent forwarding to prevent lateral movement
+        AllowAgentForwarding = false;
+
+        # prevent TCP ports from being forwarded over SSH tunnels
+        # **please be aware that disabling TCP forwarding does not prevent port forwarding**
+        # any user with an interactive login shell can spin up his/her own instance of sshd
+        AllowTcpForwarding = false;
+
+        # prevent StreamLocal (Unix-domain socket) forwarding
+        AllowStreamLocalForwarding = false;
+
+        # disables all forwarding features
+        # overrides all other forwarding switches
+        DisableForwarding = true;
+
+        # disallow remote hosts from connecting to forwarded ports
+        # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
+        GatewayPorts = "no";
+
+        # prevent tun device forwarding
+        PermitTunnel = false;
+
+        # suppress MOTD
+        PrintMotd = false;
+
+        # disable X11 forwarding since it is not necessary
+        X11Forwarding = false;
+
+        ########## Authentication ##########
+
+        AllowUsers = ["${user}"];
+
+        # Use keys only. Remove if you want to SSH using password (not recommended)
+        PasswordAuthentication = false;
+        HostbasedAuthentication = false;
+
+        # enable pubkey authentication
+        PubkeyAuthentication = true;
+
+        # Forbid root login through SSH.
+        PermitRootLogin = "no";
+
+        # nix enables pam by default
+        #UsePam = true;
+
+        ########## Cryptography ##########
+
+        # explicitly define cryptography algorithms to avoid the use of weak algorithms
+        # AES CTR modes have been removed to mitigate the Terrapin attack
+        #   https://terrapin-attack.com/
+
+        Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
+        Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
+        KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
+
+        ########## Connection Preferences ##########
+
+        # enforce SSH server to only use SSH protocol version 2
+        # SSHv1 contains security issues and should be avoided at all costs
+        # SSHv1 is disabled by default after OpenSSH 7.0, but this option is
+        #   specified anyways to ensure this configuration file's compatibility
+        #   with older versions of OpenSSH server
+        Protocol = 2;
+
+        # number of client alive messages sent without client responding
+        ClientAliveCountMax = 2;
+
+        # send a keepalive message to the client when the session has been idle for 300 seconds
+        # this prevents/detects connection timeouts
+        ClientAliveInterval = 300;
+
+        # compression before encryption might cause security issues
+        Compression = false;
+
+        # prevent SSH trust relationships from allowing lateral movements
+        IgnoreRhosts = true;
+
+        # log verbosely for addtional information
+        LogLevel = "VERBOSE";
+
+        # allow a maximum of two multiplexed sessions over a single TCP connection
+        MaxSessions = 2;
+      };
+    };
+  };
+}

common/nixos/ssh/ssh_client.nix

@@ -0,0 +1,85 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  options = {
+    ssh_client.enable = lib.mkEnableOption "enable ssh client settings";
+  };
+  config = lib.mkIf config.ssh_client.enable {
+    programs.ssh = {
+      # disable unnecessary forwardings
+      forwardX11 = false;
+
+      # explicitly define cryptography algorithms to avoid the use of weak algorithms
+      # AES CTR modes have been removed to mitigate the Terrapin attack
+      # https://terrapin-attack.com/
+      ciphers = [
+        "aes256-gcm@openssh.com"
+        "aes128-gcm@openssh.com"
+      ];
+      hostKeyAlgorithms = [
+        "ssh-ed25519"
+        "ssh-ed25519-cert-v01@openssh.com"
+        "sk-ssh-ed25519@openssh.com"
+        "sk-ssh-ed25519-cert-v01@openssh.com"
+        "rsa-sha2-256"
+        "rsa-sha2-256-cert-v01@openssh.com"
+        "rsa-sha2-512"
+        "rsa-sha2-512-cert-v01@openssh.com"
+      ];
+      macs = [
+        "hmac-sha2-256-etm@openssh.com"
+        "hmac-sha2-512-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+      ];
+      kexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+      ];
+      extraConfig = "
+      # disable unnecessary forwardings
+      ForwardAgent no
+      ForwardX11Trusted no
+      GatewayPorts no
+      Tunnel no
+
+      # disable unnecessary authentication methods
+      ChallengeResponseAuthentication no
+      GSSAPIAuthentication no
+      HostbasedAuthentication no
+
+      # define authentication methods to be used
+      PasswordAuthentication yes
+      PubkeyAuthentication yes
+      PreferredAuthentications publickey,password
+
+      # disable pre-connection compression as it could cause security issues
+      Compression no
+
+      # in addition to checking a host's hostname, also check the host's IP address
+      # this provides extra safety against DNS spoofing attacks
+      CheckHostIP yes
+
+      # ask the user if the user wants to accept the new host's host key
+      StrictHostKeyChecking ask
+
+      # hash the entries in the known_hosts file to prevent disclosure
+      # of the file's content
+      HashKnownHosts yes
+
+      # send a keepalive message to the server when the session has been idle for 60 seconds
+      # this prevents/detects connection timeouts
+      ServerAliveInterval 60
+
+      # increase the number of password retries
+      NumberOfPasswordPrompts 5
+
+      # display an ASCII art of the server's host key
+      VisualHostKey yes
+    ";
+    };
+  };
+}

common/nixos/ssh/ssh_guard.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  options = {
+    ssh_guard.enable = lib.mkEnableOption "enable ssh guard";
+  };
+  config = lib.mkIf config.ssh_guard.enable {
+    services.sshguard = {
+      enable = true;
+      services = [
+        "sshd"
+      ];
+      blocktime = 120;
+      detection_time = 1800;
+      blacklist_threshold = 120;
+      blacklist_file = "/var/lib/sshguard/blacklist.db";
+    };
+  };
+}