Skip to content

Security: djvcom/nixos-config

Security

SECURITY.md

Security Hardening Reference

Authoritative references for the security measures implemented in this NixOS configuration.

Kernel Hardening (CIS Benchmarks)

The kernel sysctls in modules/features/server/hardening.nix follow CIS Benchmark recommendations and Linux kernel security best practices.

Network Stack

Setting Value Purpose Reference
net.ipv4.tcp_syncookies 1 Mitigate SYN flood DoS attacks CIS 3.3.8
net.ipv4.conf.all.accept_redirects 0 Prevent ICMP redirect attacks CIS 3.2.2
net.ipv4.conf.all.send_redirects 0 Disable ICMP redirect sending CIS 3.2.3
net.ipv4.conf.all.rp_filter 1 Reverse path filtering (anti-spoofing) CIS 3.3.7
net.ipv4.conf.all.log_martians 1 Log packets with impossible addresses CIS 3.2.4

Kernel Security

Setting Value Purpose Reference
kernel.kptr_restrict 2 Hide kernel pointers (KASLR protection) Kernel docs
kernel.dmesg_restrict 1 Restrict dmesg to CAP_SYSLOG Kernel docs
kernel.perf_event_paranoid 3 Restrict perf to CAP_SYS_ADMIN Kernel perf security
kernel.unprivileged_bpf_disabled 1 Disable unprivileged eBPF SUSE KB
net.core.bpf_jit_harden 2 Harden BPF JIT compiler Kernel net docs

SSH Hardening

Configuration in modules/features/base/ssh.nix follows NIST and CIS guidelines.

Setting Value Purpose Reference
PasswordAuthentication no Enforce key-based auth NIST IR 7966
PermitRootLogin no Prevent direct root access CIS 5.2.8
KbdInteractiveAuthentication no Disable keyboard-interactive NIST SP 800-123

PostgreSQL Authentication

Configuration in modules/features/server/postgresql.nix uses secure authentication methods.

Method Scope Purpose Reference
peer Local socket OS user validation PostgreSQL docs
scram-sha-256 Network Challenge-response auth RFC 7677, PostgreSQL docs

SCRAM-SHA-256 is the most secure password method available in PostgreSQL, providing protection against password sniffing and using secure hash storage.

HTTP Security Headers

Traefik middleware in modules/features/server/traefik.nix applies OWASP-recommended security headers.

Header Value Purpose Reference
X-Frame-Options SAMEORIGIN Prevent clickjacking OWASP
X-Content-Type-Options nosniff Prevent MIME sniffing OWASP
X-XSS-Protection 1; mode=block Legacy XSS filter OWASP
Referrer-Policy strict-origin-when-cross-origin Control referrer leakage OWASP

Brute Force Protection

fail2ban in modules/features/base/security.nix provides automated intrusion prevention.

  • Monitors authentication logs for failed attempts
  • Dynamically blocks attacking IPs via firewall
  • Implements progressive ban time escalation

Reference: Fail2ban documentation

Authoritative Sources

Standards and Frameworks

Official Documentation

There aren't any published security advisories