mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-08-18 19:17:50 -04:00
move IP-based SSH connection limits to nftables
We use synproxy for establishing all new connections to the SSH port and enforce a connection limit between synproxy and the standard network stack. Once the connection limit is reached, it's also enforced for new connections at the synproxy layer. This avoids creating conntrack and connection limit set entries until connections are already established to avoid packets with spoofed source addresses exhausting these limited size tables. Primary servers using SSH to mirror TLS certificates to their replicas are allowlisted.
This commit is contained in:
Daniel Micay
parent
16ef317460
commit
cd59960e7b
10 changed files with 269 additions and 73 deletions
|
|
@ -105,7 +105,6 @@ ClientAliveInterval 60
|
|||
ClientAliveCountMax 10
|
||||
#UseDNS no
|
||||
#PidFile /run/sshd.pid
|
||||
PerSourceMaxStartups 1
|
||||
MaxStartups 4096
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue