From abca76d110ab5d300961e8535afea818c5b08a0e Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Sat, 6 Dec 2025 00:51:01 -0500 Subject: [PATCH] switch to explicit sshd listen addresses This makes more sense than blocking inbound traffic for specific IP addresses where SSH doesn't make sense. This orders sshd.service after network-online.target since otherwise ListenAddress can fail to work with specific IP addresses assigned by systemd-networkd. --- deploy-initial-vps | 4 ++++ etc/nftables/nftables-ns1.conf | 6 ------ etc/nftables/nftables-ns2.conf | 6 ------ etc/ssh/sshd_config | 4 ++-- etc/systemd/system/sshd.service.d/override.conf | 3 +++ 5 files changed, 9 insertions(+), 14 deletions(-) diff --git a/deploy-initial-vps b/deploy-initial-vps index b8c6681..4ef0681 100755 --- a/deploy-initial-vps +++ b/deploy-initial-vps @@ -57,10 +57,14 @@ rsync etc/sysconfig/chronyd $remote:/mnt/etc/sysconfig/chronyd rsync ${hosts_authorized_keys[$host]:-authorized_keys} $remote:/mnt/root/.ssh/authorized_keys cp etc/ssh/sshd_config tmp +sed -i "s/{{ipv4_address}}/${hosts_ipv4_address[$host]:-127.0.0.1}/g" tmp +sed -i "s/{{ipv6_address}}/${hosts_ipv6_address[$host]:-::1}/g" tmp sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" tmp rsync tmp $remote:/mnt/etc/ssh/sshd_config rm tmp +rsync -r --delete etc/systemd/system/sshd.service.d $remote:/mnt/etc/systemd/system/ + cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]:-65536} / 64 ))/g" tmp sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf index a4ca99d..bf95f01 100644 --- a/etc/nftables/nftables-ns1.conf +++ b/etc/nftables/nftables-ns1.conf @@ -7,9 +7,6 @@ table inet filter { define tcp-ports-full = { 22, $tcp-ports } define udp-ports = 53 - define ip-anycast = 185.187.152.9 - define ip6-anycast = 2602:f4d9::1 - define ip-allowlist-ssh = { {{ssh_ipv4}}, 66.135.8.22, # nyc.ns1.grapheneos.org @@ -90,9 +87,6 @@ table inet filter { udp dport $udp-ports notrack accept - tcp dport 22 ip daddr $ip-anycast drop - tcp dport 22 ip6 daddr $ip6-anycast drop - # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept diff --git a/etc/nftables/nftables-ns2.conf b/etc/nftables/nftables-ns2.conf index bbb2561..ef27f3e 100644 --- a/etc/nftables/nftables-ns2.conf +++ b/etc/nftables/nftables-ns2.conf @@ -7,9 +7,6 @@ table inet filter { define tcp-ports-full = { 22, $tcp-ports } define udp-ports = 53 - define ip-anycast = { 23.149.124.1, 198.251.90.93 } - define ip6-anycast = 2602:f4d9:1::1 - define ip-allowlist-ssh = { {{ssh_ipv4}}, 198.98.53.141, # nyc.ns2.grapheneos.org @@ -90,9 +87,6 @@ table inet filter { udp dport $udp-ports notrack accept - tcp dport 22 ip daddr $ip-anycast drop - tcp dport 22 ip6 daddr $ip6-anycast drop - # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index 78402bb..fb2b3d1 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -13,8 +13,8 @@ Include /etc/ssh/sshd_config.d/*.conf #Port 22 #AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: +ListenAddress {{ipv4_address}} +ListenAddress {{ipv6_address}} IPQoS cs2 cs0 diff --git a/etc/systemd/system/sshd.service.d/override.conf b/etc/systemd/system/sshd.service.d/override.conf index 0218e60..b2e8505 100644 --- a/etc/systemd/system/sshd.service.d/override.conf +++ b/etc/systemd/system/sshd.service.d/override.conf @@ -1,3 +1,6 @@ +[Unit] +After=network-online.target + [Service] LimitNOFILE=8192 ManagedOOMPreference=avoid