Commit Graph

575 Commits

Author SHA1 Message Date
Daniel Micay
f3ae109eac reduce conntrack SYN timeouts to match TCP/IP stack 2024-04-24 10:45:02 -04:00
Daniel Micay
ee62868a7b nftables: use standard order for verdict map 2024-04-23 03:30:15 -04:00
Daniel Micay
965bc4f951 nftables: add invalid case to ct state vmap
This might as well be dropped by the verdict map instead of falling
through to the default drop policy.
2024-04-23 02:38:40 -04:00
Daniel Micay
5ba6cbd3d1 nftables: simplify rules via untracked state 2024-04-23 02:34:17 -04:00
Daniel Micay
d369f159a9 add nmap package across servers mainly for nping
It's extremely useful to have this around for debugging network issues,
testing firewall rules and other purposes. It's not particularly useful
having nmap itself, but nping and to a lesser extent ncat are great to
have available.
2024-04-22 10:43:11 -04:00
Daniel Micay
9f99e9c3a5 drop whois package from discuss.grapheneos.org
There's no particular reason to have this on the servers since it can be
done locally.
2024-04-22 10:38:28 -04:00
Daniel Micay
398acc6fe8 nftables: drop instead of reject for unused ports
This provides consistency with DDoS protection services placed in front
of the services rather than the behavior changing based on whether DDoS
protection is active. This doesn't help with protecting against attacks
since they'll almost always be targeting ports with services active or
exhausting inbound bandwidth via UDP reflection attacks. This appears to
be the standard approach used by most large tech companies.
2024-04-19 13:54:12 -04:00
Daniel Micay
b17b2f3fd3 nftables: add define for ns2.grapheneos.org anycast IP 2024-04-18 10:45:53 -04:00
Daniel Micay
741ea728ea nftables: move output skuid checks to raw phase
This is a minor simplification and also a minor optimization.
2024-04-17 15:28:16 -04:00
Daniel Micay
7782c861cb nftables: reorder rule for rejecting SSH via anycast 2024-04-15 23:54:17 -04:00
Daniel Micay
8caa777e11 add connection limit allowlist for mail server 2024-04-15 23:21:26 -04:00
Daniel Micay
dade50c832 nftables: drop unnecessary ssh localhost allowlist 2024-04-15 22:38:36 -04:00
Daniel Micay
9f84c50869 force DMARC enforcement for gmail.com 2024-04-15 11:42:03 -04:00
Daniel Micay
8278883a84 add grapheneos.foundation domain 2024-04-13 19:18:03 -04:00
Daniel Micay
8a4e4f334f reorder configuration 2024-04-13 18:20:14 -04:00
Daniel Micay
56f169cbba increase max TCP send buffer size for matrix server 2024-04-13 18:20:12 -04:00
Daniel Micay
35e776f867 increase max TCP send buffer size for update servers 2024-04-13 14:27:31 -04:00
Daniel Micay
711e432a67 remove unnecessary local-reserved-ports.conf template 2024-04-13 14:17:23 -04:00
Daniel Micay
f9bce64060 enable TCP window shrinking
The default is a potential denial of service issue via TCP memory
exhaustion.
2024-04-13 13:52:08 -04:00
Daniel Micay
6a325f8798 update python dependencies 2024-04-12 21:33:35 -04:00
Daniel Micay
bd6f127acf move nftables configuration to a directory 2024-04-12 21:33:35 -04:00
Daniel Micay
c412fec336 simplify rate limited synproxy bypass 2024-04-12 21:33:33 -04:00
Daniel Micay
ca35fcc648 add python-pydantic package for matrix.grapheneos.org 2024-04-11 22:45:55 -04:00
Daniel Micay
b928b197b0 nftables: add comments explaining adding to connlimit sets 2024-04-11 15:59:07 -04:00
Daniel Micay
edbf50a3da nftables: rename tcp service chains 2024-04-11 11:59:27 -04:00
Daniel Micay
3d886dea43 nftables: split out TCP service chain 2024-04-11 11:49:22 -04:00
Daniel Micay
b152574da8 nftables: avoid unnecessary connection marking 2024-04-11 11:38:43 -04:00
Daniel Micay
832a430954 nftables: handle non-TCP case in input-new chain 2024-04-11 10:34:10 -04:00
Daniel Micay
8f047de0c3 nftables: explain synproxy untracked/invalid cases 2024-04-11 10:19:39 -04:00
Daniel Micay
26a58b2492 nftables: explain synproxy bypass rate limit 2024-04-11 09:56:30 -04:00
Daniel Micay
ecd14bddff nftables: explain ordering of strong host model check 2024-04-11 09:51:10 -04:00
Daniel Micay
b21ea0a23f raise synproxy bypass burst to 128 packets from 5
Our network servers are spiking over the default burst limit of 5
packets during regular usage. It's unclear high this should be but 5
packets is definitely too low.
2024-04-10 15:08:45 -04:00
Daniel Micay
b38736ca74 enable nftables-based DDoS protection for all TCP services
Now that the usage of synproxy is gated behind a SYN packet rate limit,
we can expand this to all our TCP services to have always enabled DDoS
protection instead of needing to deploy a stricter set of rules when the
servers are under attack. This is far better because there isn't always
a system administrator available to handle an ongoing attack.

We already used per-IP connection limits in nginx across the board but
those limits are applied far too late after a TLS connection has been
established and headers are sent rather than before. Using IPv6 /64
blocks means this is much more aggressive for IPv6, but many clients
will fall back to IPv4 due to the happy eyeballs approach. The nginx
limits are still useful due to HTTP/2 multiplexing and we'll need to
think over how to address IPv6 there.
2024-04-10 14:48:10 -04:00
Daniel Micay
14c0128910 add rate limited synproxy bypass 2024-04-10 12:15:19 -04:00
Daniel Micay
ef63ff82d2 use consistent name for main connlimit
This will be extended to other services when under attack, which can be
automated in the future.
2024-04-09 20:29:11 -04:00
Daniel Micay
275d63e8b3 certbot: add ns2 variant of staging authoritative DNS 2024-04-08 17:06:43 -04:00
Daniel Micay
5106ec7f4a remove redundant vm.max_map_count configuration
The same value we were using is now the default.
2024-04-07 15:11:35 -04:00
Daniel Micay
a6b9fa782b reorganize nftables rules 2024-04-05 19:14:05 -04:00
Daniel Micay
cf274f34d7 simplify synproxy-based connection limit rules 2024-04-05 13:36:09 -04:00
Daniel Micay
c1756f5809 add synproxy/connlimit for ACME/redirect use of HTTP
This makes it easier to maintain and deploy more aggressive DDoS
mitigation when our main HTTPS services are under attack.

Network servers use HTTP for connectivity checks which do not use
keepalive and should also be a good use case for
2024-04-04 12:46:38 -04:00
Daniel Micay
3e23b80e9c move mail server HTTP(S) connection limit to nftables
This has the same reasoning as 9fcac6b105
other than these services being used for MTA-STS in addition to ACME and
redirects to the FAQ for the domains.
2024-04-04 12:46:22 -04:00
Daniel Micay
83bcc0b327 merge synproxy rules 2024-03-31 22:25:38 -04:00
Daniel Micay
9fcac6b105 use DNS connlimit for HTTP/HTTPS on DNS servers
Our DNS servers only have HTTP(S) for obtaining certificates via ACME
with accounturi pinning along with redirecting people who visit the
domain in a browser to our server documentation. We also only permit 1
request for each HTTP(S) connection for these services so connections
are very short lived.

We'll need to do this in a less aggressive way for our web sites and our
services used to transfer significant amounts of data such as the update
servers since not all clients have TCP timestamps and will lose SACK and
window scaling with the current Linux SYN cookie design despite it being
possible to avoid that as FreeBSD does.
2024-03-31 22:23:10 -04:00
Daniel Micay
079997d4b5 chrony: raise minsources to 3 2024-03-31 14:03:16 -04:00
Daniel Micay
0edcc3514e chrony: add time.cifelli.xyz as source 2024-03-31 14:02:16 -04:00
Daniel Micay
be63011a31 chrony: add time.dfm.dk as source 2024-03-31 14:02:08 -04:00
Daniel Micay
0fab969de7 enforce IPv6 SUPL connection limit for /64 blocks 2024-03-30 20:40:38 -04:00
Daniel Micay
457f0bf7e8 move IP-based SUPL connection limits to nftables 2024-03-30 20:40:11 -04:00
Daniel Micay
e655732304 drop unnecessary nftables udp condition 2024-03-30 12:23:05 -04:00
Daniel Micay
39b7e1f479 add counter to connection limit reject rules 2024-03-30 02:12:18 -04:00