Oluceps: /* Security hardening */

2025-07-27T13:03:39Z

Security hardening

← Older revision		Revision as of 13:03, 27 July 2025
Line 44:		Line 44:
	services.openssh = {		services.openssh = {
	enable = true;		enable = true;
	~~Ports~~ = [ 5432 ];		ports = [ 5432 ];
	settings = {		settings = {
	PasswordAuthentication = false;		PasswordAuthentication = false;

Jnalley: Added missing semicolon

2025-07-26T20:34:02Z

Added missing semicolon

← Older revision		Revision as of 20:34, 26 July 2025
Line 49:		Line 49:
	KbdInteractiveAuthentication = false;		KbdInteractiveAuthentication = false;
	PermitRootLogin = "no";		PermitRootLogin = "no";
	AllowUsers = [ "myUser" ]		AllowUsers = [ "myUser" ];
	};		};
	};		};
	</nowiki>		</nowiki>
	}}		\|name=\|lang=}}

	In addition to these settings, consider enabling [[#Fail2Ban\|Fail2Ban]] as a recommended baseline for security.		In addition to these settings, consider enabling [[#Fail2Ban\|Fail2Ban]] as a recommended baseline for security.

Pigs: Create ssh page, detail server and client configuration

2025-05-13T17:04:20Z

Create ssh page, detail server and client configuration

New page

[https://en.wikipedia.org/wiki/Secure_Shell SSH (Secure Shell)] is a protocol for securely accessing remote machines over an unsecured network. It is commonly used for remote administration, file transfers, and secure tunneling.

This page covers the setup and management of SSH on NixOS systems. NixOS primarily uses [https://www.openssh.com/ OpenSSH] for both server and client functionality.

For more manual-level information, refer to the {{NixOS Manual|name=NixOS Manual: Chapter - Secure Shell Access|anchor=#sec-ssh}}.

{{Security Warning|Changing SSH configuration settings can significantly impact the security of your system(s). It is crucial to have a solid understanding of what you are doing before making any adjustments.

Avoid blindly copying and pasting examples, including those from this Wiki page, without conducting a thorough analysis. Failure to do so may compromise the security of your system(s) and lead to potential vulnerabilities.
Take the time to comprehend the implications of your actions and ensure that any changes made are done thoughtfully and with care.}}

= OpenSSH Server =

To enable a SSH service, add the following to your system configuration:

{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
services.openssh = {
enable = true;
};
</nowiki>
}}

By default, the server listens on port 22 and allows password authentication. Note that the port defined in the <code>openssh</code> config is opened automatically in the [[Firewall|firewall]].

For more SSH server configuration options, refer to the {{nixos:option|services.openssh}} module options.

== Security hardening ==

To improve the security of your SSH server, it is recommended to apply the following measures:

* Disable password-based login

* Disable root login

* Restrict allowed users

* Change the default port

These options can be configured declaratively in your system configuration:

{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
services.openssh = {
enable = true;
Ports = [ 5432 ];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
AllowUsers = [ "myUser" ]
};
};
</nowiki>
}}

In addition to these settings, consider enabling [[#Fail2Ban|Fail2Ban]] as a recommended baseline for security.

= SSH client configuration =

The OpenSSH client is available by default on NixOS and can be configured using the {{nixos:option|programs.ssh}} module options.

{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
programs.ssh = {
extraConfig = "
Host myhost
Hostname 192.168.1.123
Port 22
User user
";
};
</nowiki>
}}

This allows you to connect using:

<syntaxhighlight lang="console">
$ ssh myhost
</syntaxhighlight>

{{note|Since this is a system-wide configuration, you cannot specify a user-specific identity file here due to file permission constraints.}}

For per-user SSH configuration, consider using [[Home Manager]] with the [https://home-manager-options.extranix.com/?query=programs.ssh programs.ssh] options, which allow for more flexible, user-level SSH client settings.

Alternatively, you can manually manage SSH client configuration by placing entries in the user-specific <code>~/.ssh/config</code> file.

= SSH public key authentication =

For details on configuring public key authentication, managing SSH keys, and setting up SSH agents, see the dedicated page: [[SSH public key authentication]].

= Tips and tricks =

== Fail2Ban ==

{{main|Fail2ban}}

[http://www.fail2ban.org/ Fail2Ban] is a service that bans hosts that cause multiple authentication errors.

To enable Fail2Ban, add the following to your system configuration:

{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
services.fail2ban.enable = true;
</nowiki>
}}

== Endlessh ==

[https://github.com/skeeto/endlessh Endlessh] is a SSH tarpit that slows down malicious or automated SSH connection attempts by indefinitely delaying connections.

To enable Endlessh, add the following to your system configuration:

{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
services.endlessh = {
enable = true;
port = 22;
openFirewall = true;
};
</nowiki>
}}

For additional configuration options, see the{{nixos:option|services.endlessh}} module documentation.

= See also =

* [[SSH public key authentication]]
* [[Fail2ban]]

[[Category:Networking]]
[[Category:Server]]

SSH - Revision history

Oluceps: /* Security hardening */

Jnalley: Added missing semicolon

Pigs: Create ssh page, detail server and client configuration