Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-12-20 18:55:21 -05:00
Code Issues Projects Releases Packages Wiki Activity

switch to explicit sshd listen addresses

Browse source 
This makes more sense than blocking inbound traffic for specific IP
addresses where SSH doesn't make sense.

This orders sshd.service after network-online.target since otherwise
ListenAddress can fail to work with specific IP addresses assigned by
systemd-networkd.
This commit is contained in:
Daniel Micay 2025-12-06 00:51:01 -05:00
parent 9f40af22b7
commit abca76d110
5 changed files with 9 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

4
deploy-initial-vps
View file

@ -57,10 +57,14 @@ rsync etc/sysconfig/chronyd $remote:/mnt/etc/sysconfig/chronyd
rsync ${hosts_authorized_keys[$host]:-authorized_keys} $remote:/mnt/root/.ssh/authorized_keys rsync ${hosts_authorized_keys[$host]:-authorized_keys} $remote:/mnt/root/.ssh/authorized_keys
cp etc/ssh/sshd_config tmp cp etc/ssh/sshd_config tmp
sed -i "s/{{ipv4_address}}/${hosts_ipv4_address[$host]:-127.0.0.1}/g" tmp
sed -i "s/{{ipv6_address}}/${hosts_ipv6_address[$host]:-::1}/g" tmp
sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" tmp sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" tmp
rsync tmp $remote:/mnt/etc/ssh/sshd_config rsync tmp $remote:/mnt/etc/ssh/sshd_config
rm tmp rm tmp
rsync -r --delete etc/systemd/system/sshd.service.d $remote:/mnt/etc/systemd/system/
cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp
sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]:-65536} / 64 ))/g" tmp sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]:-65536} / 64 ))/g" tmp
sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp

6
etc/nftables/nftables-ns1.conf
View file

@ -7,9 +7,6 @@ table inet filter {
define tcp-ports-full = { 22, $tcp-ports } define tcp-ports-full = { 22, $tcp-ports }
define udp-ports = 53 define udp-ports = 53
define ip-anycast = 185.187.152.9
define ip6-anycast = 2602:f4d9::1
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
{{ssh_ipv4}}, {{ssh_ipv4}},
66.135.8.22, # nyc.ns1.grapheneos.org 66.135.8.22, # nyc.ns1.grapheneos.org
@ -90,9 +87,6 @@ table inet filter {
udp dport $udp-ports notrack accept udp dport $udp-ports notrack accept
tcp dport 22 ip daddr $ip-anycast drop
tcp dport 22 ip6 daddr $ip6-anycast drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

6
etc/nftables/nftables-ns2.conf
View file

@ -7,9 +7,6 @@ table inet filter {
define tcp-ports-full = { 22, $tcp-ports } define tcp-ports-full = { 22, $tcp-ports }
define udp-ports = 53 define udp-ports = 53
define ip-anycast = { 23.149.124.1, 198.251.90.93 }
define ip6-anycast = 2602:f4d9:1::1
define ip-allowlist-ssh = { define ip-allowlist-ssh = {
{{ssh_ipv4}}, {{ssh_ipv4}},
198.98.53.141, # nyc.ns2.grapheneos.org 198.98.53.141, # nyc.ns2.grapheneos.org
@ -90,9 +87,6 @@ table inet filter {
udp dport $udp-ports notrack accept udp dport $udp-ports notrack accept
tcp dport 22 ip daddr $ip-anycast drop
tcp dport 22 ip6 daddr $ip6-anycast drop
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

4
etc/ssh/sshd_config
View file

@ -13,8 +13,8 @@ Include /etc/ssh/sshd_config.d/*.conf
#Port 22 #Port 22
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 ListenAddress {{ipv4_address}}
#ListenAddress :: ListenAddress {{ipv6_address}}
IPQoS cs2 cs0 IPQoS cs2 cs0

3
etc/systemd/system/sshd.service.d/override.conf
View file

@ -1,3 +1,6 @@
[Unit]
After=network-online.target
[Service] [Service]
LimitNOFILE=8192 LimitNOFILE=8192
ManagedOOMPreference=avoid ManagedOOMPreference=avoid