Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-11-22 16:00:25 -05:00
Code Issues Projects Releases Packages Wiki Activity

expand SSH connection limit allowlist

Browse source
This commit is contained in:
Daniel Micay 2025-08-29 10:28:44 -04:00
parent f3ae87143f
commit 3d0e2ffb23
11 changed files with 74 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -7,6 +7,7 @@
/authorized_keys-staging-attestation /authorized_keys-staging-attestation
/passwords/ /passwords/
/modules/ /modules/
/ssh.sh
/sysctl/ /sysctl/
/tmp /tmp
/units/ /units/

7
deploy-initial
View file

@ -4,6 +4,7 @@ set -o errexit -o nounset -o pipefail
shopt -s expand_aliases shopt -s expand_aliases
. hosts.sh . hosts.sh
. ssh.sh
[[ $# -eq 1 ]] || exit 1 [[ $# -eq 1 ]] || exit 1
@ -59,8 +60,10 @@ sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" tmp
rsync tmp $remote:/mnt/etc/ssh/sshd_config rsync tmp $remote:/mnt/etc/ssh/sshd_config
rm tmp rm tmp
synproxy_threshold=$(( ${hosts_conntrack_size[$host]} / 64 )) cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp
sed "s/{{synproxy_threshold}}/$synproxy_threshold/g" etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf >tmp sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]} / 64 ))/g" tmp
sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp
sed -i "s/{{ssh_ipv6}}/$ssh_ipv6/g" tmp
rsync tmp $remote:/mnt/etc/nftables.conf rsync tmp $remote:/mnt/etc/nftables.conf
rm tmp rm tmp

16
etc/nftables/nftables-attestation.conf
View file

@ -3,6 +3,14 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
{{ssh_ipv4}},
}
define ip6-allowlist-ssh = {
{{ssh_ipv6}},
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -77,8 +85,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -87,8 +95,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

16
etc/nftables/nftables-discuss.conf
View file

@ -3,6 +3,14 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
{{ssh_ipv4}},
}
define ip6-allowlist-ssh = {
{{ssh_ipv6}},
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -80,8 +88,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -90,8 +98,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

16
etc/nftables/nftables-mail.conf
View file

@ -3,6 +3,14 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
{{ssh_ipv4}},
}
define ip6-allowlist-ssh = {
{{ssh_ipv6}},
}
define ip-allowlist-main = { define ip-allowlist-main = {
51.79.66.27, # attestation.app 51.79.66.27, # attestation.app
51.79.52.38, # discuss.grapheneos.org 51.79.52.38, # discuss.grapheneos.org
@ -89,8 +97,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -99,8 +107,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

16
etc/nftables/nftables-matrix.conf
View file

@ -3,6 +3,14 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
{{ssh_ipv4}},
}
define ip6-allowlist-ssh = {
{{ssh_ipv6}},
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -77,8 +85,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -87,8 +95,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

2
etc/nftables/nftables-network.conf
View file

@ -4,10 +4,12 @@ flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
{{ssh_ipv4}},
51.222.159.116, # 0.grapheneos.network 51.222.159.116, # 0.grapheneos.network
} }
define ip6-allowlist-ssh = { define ip6-allowlist-ssh = {
{{ssh_ipv6}},
2607:5300:205:200::2584, # 0.grapheneos.network 2607:5300:205:200::2584, # 0.grapheneos.network
} }

2
etc/nftables/nftables-ns1.conf
View file

@ -7,10 +7,12 @@ table inet filter {
define ip6-anycast = 2a05:b0c4:1::8 define ip6-anycast = 2a05:b0c4:1::8
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
{{ssh_ipv4}},
51.161.34.158, # 0.ns1.grapheneos.org 51.161.34.158, # 0.ns1.grapheneos.org
} }
define ip6-allowlist-ssh = { define ip6-allowlist-ssh = {
{{ssh_ipv6}},
2607:5300:205:200::eaa, # 0.ns1.grapheneos.org 2607:5300:205:200::eaa, # 0.ns1.grapheneos.org
} }

2
etc/nftables/nftables-ns2.conf
View file

@ -6,10 +6,12 @@ table inet filter {
define ip-anycast = 198.251.90.93 define ip-anycast = 198.251.90.93
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
{{ssh_ipv4}},
198.98.53.141, # 0.ns2.grapheneos.org 198.98.53.141, # 0.ns2.grapheneos.org
} }
define ip6-allowlist-ssh = { define ip6-allowlist-ssh = {
{{ssh_ipv6}},
2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org 2605:6400:10:102e:95bc:89ef:2e7f:49bb, # 0.ns2.grapheneos.org
} }

16
etc/nftables/nftables-social.conf
View file

@ -3,6 +3,14 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = {
{{ssh_ipv4}},
}
define ip6-allowlist-ssh = {
{{ssh_ipv6}},
}
set ip-connlimit-ssh { set ip-connlimit-ssh {
type ipv4_addr type ipv4_addr
flags dynamic flags dynamic
@ -77,8 +85,8 @@ table inet filter {
# add connections established without synproxy to connection limit sets with limits enforced # add connections established without synproxy to connection limit sets with limits enforced
chain input-tcp-service-established { chain input-tcp-service-established {
ct mark 0x1 accept ct mark 0x1 accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept
@ -87,8 +95,8 @@ table inet filter {
# add connections established with synproxy to connection limit sets with limits enforced # add connections established with synproxy to connection limit sets with limits enforced
chain input-tcp-service-loopback { chain input-tcp-service-loopback {
tcp flags != syn accept tcp flags != syn accept
tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
ct mark set 0x1 accept ct mark set 0x1 accept

2
etc/nftables/nftables-web.conf
View file

@ -4,11 +4,13 @@ flush ruleset
table inet filter { table inet filter {
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
{{ssh_ipv4}},
51.222.156.101, # 0.grapheneos.org 51.222.156.101, # 0.grapheneos.org
45.90.185.33, # 0.releases.grapheneos.org 45.90.185.33, # 0.releases.grapheneos.org
} }
define ip6-allowlist-ssh = { define ip6-allowlist-ssh = {
{{ssh_ipv6}},
2607:5300:205:200::29c6, # 0.grapheneos.org 2607:5300:205:200::29c6, # 0.grapheneos.org
2a14:3f87:6920:250::100, # 0.releases.grapheneos.org 2a14:3f87:6920:250::100, # 0.releases.grapheneos.org
} }