1  # SSH hardening & fail2ban
 2  # S01-08: SSH hardening + fail2ban active
 3  
 4  { config, pkgs, lib, ... }:
 5  
 6  {
 7    # ── SSH ──────────────────────────────────────────────────────────────
 8    services.openssh = {
 9      enable = true;
10      settings = {
11        PermitRootLogin = "no";
12        PasswordAuthentication = false;
13        KbdInteractiveAuthentication = false;
14        X11Forwarding = false;
15        MaxAuthTries = 3;
16      };
17    };
18  
19    # ── fail2ban ─────────────────────────────────────────────────────────
20    services.fail2ban = {
21      enable = true;
22      maxretry = 5;
23      bantime = "1h";
24      bantime-increment = {
25        enable = true;
26        maxtime = "48h";
27      };
28      jails.sshd = {
29        settings = {
30          enabled = true;
31          port = "ssh";
32          filter = "sshd";
33          maxretry = 3;
34        };
35      };
36    };
37  
38    # ── Kernel hardening ─────────────────────────────────────────────────
39    boot.kernel.sysctl = {
40      # Disable IP forwarding (not a router)
41      "net.ipv4.ip_forward" = 0;
42      # Ignore ICMP redirects
43      "net.ipv4.conf.all.accept_redirects" = 0;
44      "net.ipv6.conf.all.accept_redirects" = 0;
45      # Ignore source-routed packets
46      "net.ipv4.conf.all.accept_source_route" = 0;
47      # SYN flood protection
48      "net.ipv4.tcp_syncookies" = 1;
49    };
50  }