Authoritative references for the security measures implemented in this NixOS configuration.
The kernel sysctls in modules/features/server/hardening.nix follow CIS Benchmark
recommendations and Linux kernel security best practices.
| Setting | Value | Purpose | Reference |
|---|---|---|---|
net.ipv4.tcp_syncookies |
1 | Mitigate SYN flood DoS attacks | CIS 3.3.8 |
net.ipv4.conf.all.accept_redirects |
0 | Prevent ICMP redirect attacks | CIS 3.2.2 |
net.ipv4.conf.all.send_redirects |
0 | Disable ICMP redirect sending | CIS 3.2.3 |
net.ipv4.conf.all.rp_filter |
1 | Reverse path filtering (anti-spoofing) | CIS 3.3.7 |
net.ipv4.conf.all.log_martians |
1 | Log packets with impossible addresses | CIS 3.2.4 |
| Setting | Value | Purpose | Reference |
|---|---|---|---|
kernel.kptr_restrict |
2 | Hide kernel pointers (KASLR protection) | Kernel docs |
kernel.dmesg_restrict |
1 | Restrict dmesg to CAP_SYSLOG | Kernel docs |
kernel.perf_event_paranoid |
3 | Restrict perf to CAP_SYS_ADMIN | Kernel perf security |
kernel.unprivileged_bpf_disabled |
1 | Disable unprivileged eBPF | SUSE KB |
net.core.bpf_jit_harden |
2 | Harden BPF JIT compiler | Kernel net docs |
Configuration in modules/features/base/ssh.nix follows NIST and CIS guidelines.
| Setting | Value | Purpose | Reference |
|---|---|---|---|
PasswordAuthentication |
no | Enforce key-based auth | NIST IR 7966 |
PermitRootLogin |
no | Prevent direct root access | CIS 5.2.8 |
KbdInteractiveAuthentication |
no | Disable keyboard-interactive | NIST SP 800-123 |
Configuration in modules/features/server/postgresql.nix uses secure authentication methods.
| Method | Scope | Purpose | Reference |
|---|---|---|---|
peer |
Local socket | OS user validation | PostgreSQL docs |
scram-sha-256 |
Network | Challenge-response auth | RFC 7677, PostgreSQL docs |
SCRAM-SHA-256 is the most secure password method available in PostgreSQL, providing protection against password sniffing and using secure hash storage.
Traefik middleware in modules/features/server/traefik.nix applies OWASP-recommended security headers.
| Header | Value | Purpose | Reference |
|---|---|---|---|
X-Frame-Options |
SAMEORIGIN | Prevent clickjacking | OWASP |
X-Content-Type-Options |
nosniff | Prevent MIME sniffing | OWASP |
X-XSS-Protection |
1; mode=block | Legacy XSS filter | OWASP |
Referrer-Policy |
strict-origin-when-cross-origin | Control referrer leakage | OWASP |
fail2ban in modules/features/base/security.nix provides automated intrusion prevention.
- Monitors authentication logs for failed attempts
- Dynamically blocks attacking IPs via firewall
- Implements progressive ban time escalation
Reference: Fail2ban documentation
- CIS Benchmarks - Center for Internet Security
- NIST IR 7966 - SSH Key Management
- NIST SP 800-123 - General Server Security
- OWASP Cheat Sheets - Web Security
- Linux Kernel sysctl - Kernel parameters
- PostgreSQL Authentication - Auth methods
- NixOS Manual - NixOS configuration