update nftables torrc host config read me add sshd config

host/README.md

@@ -2,9 +2,9 @@
 
 ## Debian
 
-### Create VM
+### Create VM (from local computer/workstation)
 - `ssh-keygen -t ed25519 -f ~/.ssh/myhub`
-- Create VM and use public key from `~/.ssh/myhub.pub`
+- Create VM (however you need to) and use public key from `~/.ssh/myhub.pub`
 - `ssh-keyscan <ip_address_of_vm> >> ~/.ssh/known_hosts`
 - create `~/.ssh/config` and add the following 
 
@@ -49,7 +49,8 @@ Host myhub
 - `cd docker-hybrid/host`
 
 ### Packages 
-- `sudo apt -y install docker.io nftables tcpdump mtr tor git`
+- `sudo apt -y install docker.io nftables tcpdump mtr tor git python3-pip`
+- `pip3 install docker-compose`
 
 ### Configuration files
 - `cp tor/torrc /etc/tor/torrc`
@@ -67,8 +68,19 @@ Host myhub
 - `ip link add docker0 type bridge` 
 - `ip link set docker0 up`
 - `ip addr add 100.64.63.129/25 dev docker0`
+#### Enable docker service at boot
 - `systemctl enable docker`
 - `systemctl start docker`
+
+#### Harden SSH daemon
+- `cp ssh/sshd_config /etc/sshd_config`
+- `chattr +i /etc/ssh/sshd_config`
+- `echo "authorized access only" > /etc/issue.net`
+- `chattr +i /etc/issue.net`
+- `systemctl restart sshd`
+
+#### Boot network configuration
+- This step ensures that the WAN interface name will match the pre-defined values in the provided nftables scripts
 - create `/etc/systemd/network/50-WAN.link` and add the following
 
 ```
@@ -130,7 +142,6 @@ LLMNR=false
 - `chattr +i /etc/systemd/network/50-WAN.link`
 - `chattr +i /etc/systemd/network/51-WAN.network`
 - `systemctl enable systemd-networkd`
-- `sync ; sync ; /sbin/reboot -f`
-- Re-SSH the host, CWD to `docker-hybrid/host`
 - `cp nftables/nftables.rules /etc/nftables.conf`
 - `chattr +i /etc/nftables.conf`
+- reboot (smoke test)

host/default/docker

@@ -1 +1 @@
-DOCKER_OPTS="--iptables=false --ip-masq=false --bip=100.64.63.129/25 --fixed-cidr=100.64.63.128/25 --default-address-pool base=100.64.15.128/25,size=29"
+DOCKER_OPTS="--userns-remap=default --iptables=false --ip-masq=false --bip=100.64.63.129/25 --fixed-cidr=100.64.63.128/25 --default-address-pool base=100.64.15.128/25,size=29"

host/nftables/nftables.exterior.rules

@@ -1,4 +1,4 @@
-table ip hybrid {
+table ip filter {
   chain POSTROUTING {
     type nat hook postrouting priority 0; policy accept;
     oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients";
@@ -50,13 +50,13 @@ table ip hybrid {
     limit rate 15/second burst 3 packets               counter log prefix "NFFWD: " comment "forward unmatched log";
                                                        counter drop                 comment "forward dropped";
   }
-
   chain output {
     type filter hook output   priority 0;    policy drop;
-    ct state invalid                                             counter jump   INVALID       comment "(CT) invalid on OUTPUT chain";
-    udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept               comment "UDP DNS query response to egress (100.64.48.0/20)";
-    oifname "WAN"                                                counter accept               comment "* via default interface";
-    limit rate 15/second burst 3 packets                         counter log prefix "NFOUT: " comment "output unmatched log";
-                                                                 counter drop                 comment "output dropped";
+    oifname "lo"     ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8       counter accept               comment "* via loop-back";
+    ct state invalid                                                 counter jump   INVALID       comment "(CT) invalid on OUTPUT chain";
+    udp sport 53     ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept               comment "UDP DNS query response to egress (100.64.48.0/20)";
+    oifname "WAN"                                                    counter accept               comment "* via default interface";
+    limit rate 15/second burst 3 packets                             counter log prefix "NFOUT: " comment "output unmatched log";
+                                                                     counter drop                 comment "output dropped";
   }
 }

host/nftables/nftables.top_site.rules

@@ -1,4 +1,4 @@
-table ip hybrid {
+table ip filter {
   chain POSTROUTING {
     type nat hook postrouting priority 0; policy accept;
     oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients";
@@ -44,13 +44,13 @@ table ip hybrid {
     limit rate 15/second burst 3 packets               counter log prefix "NFFWD: " comment "forward unmatched log";
                                                        counter drop                 comment "forward dropped";
   }
-
   chain output {
     type filter hook output   priority 0;    policy drop;
-    ct state invalid                                             counter jump   INVALID       comment "(CT) invalid on OUTPUT chain";
-    udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept               comment "UDP DNS query response to egress (100.64.48.0/20)";
-    oifname "WAN"                                                counter accept               comment "* via default interface";
-    limit rate 15/second burst 3 packets                         counter log prefix "NFOUT: " comment "output unmatched log";
-                                                                 counter drop                 comment "output dropped";
+    oifname "lo"     ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8       counter accept               comment "* via loop-back";
+    ct state invalid                                                 counter jump   INVALID       comment "(CT) invalid on OUTPUT chain";
+    udp sport 53     ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept               comment "UDP DNS query response to egress (100.64.48.0/20)";
+    oifname "WAN"                                                    counter accept               comment "* via default interface";
+    limit rate 15/second burst 3 packets                             counter log prefix "NFOUT: " comment "output unmatched log";
+                                                                     counter drop                 comment "output dropped";
   }
 }

host/ssh/sshd_config

@@ -0,0 +1,28 @@
+Port                            22
+AddressFamily                   any
+ListenAddress                   ::
+HostKey                         /etc/ssh/ssh_host_rsa_key
+HostKey                         /etc/ssh/ssh_host_ecdsa_key
+HostKey                         /etc/ssh/ssh_host_ed25519_key
+LoginGraceTime                  10s
+PermitRootLogin                 yes
+StrictModes                     yes
+MaxAuthTries                    1
+MaxSessions                     5
+PubkeyAuthentication            yes
+AuthorizedKeysFile	            .ssh/authorized_keys
+PasswordAuthentication          no
+PermitEmptyPasswords            no
+ChallengeResponseAuthentication no
+UsePAM                          yes
+AllowAgentForwarding            no
+AllowTcpForwarding              no
+GatewayPorts                    no
+X11Forwarding                   no
+PrintLastLog                    yes
+TCPKeepAlive                    yes
+PermitTunnel                    no
+Banner                          /etc/issue.net
+AcceptEnv                       LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv                       LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv                       LC_IDENTIFICATION LC_ALL

host/tor/torrc

@@ -1 +1,3 @@
-DNSPort 53
+DNSPort                       53
+HiddenServiceDir              /var/lib/tor/ssh/
+HiddenServicePort             22 127.0.0.1:22