Commit Graph

8 Commits

Author SHA1 Message Date
Daniel Micay
66c512b65f reduce SSH liveness check timeout to ~2 minutes 2024-07-02 18:06:47 -04:00
Daniel Micay
1dc26ba006 add VerifyHostKeyDNS ask to ssh_config 2024-06-18 14:25:16 -04:00
Daniel Micay
cd59960e7b move IP-based SSH connection limits to nftables
We use synproxy for establishing all new connections to the SSH port and
enforce a connection limit between synproxy and the standard network
stack. Once the connection limit is reached, it's also enforced for new
connections at the synproxy layer. This avoids creating conntrack and
connection limit set entries until connections are already established
to avoid packets with spoofed source addresses exhausting these limited
size tables. Primary servers using SSH to mirror TLS certificates to
their replicas are allowlisted.
2024-03-28 11:38:03 -04:00
Daniel Micay
b88d0d5c96 raise ssh background traffic priority to af11
The default cs1 is resulting traffic being completely dropped for some
routes with congestion.
2023-08-14 23:32:00 -04:00
Daniel Micay
ae2fc9244b support drop-in configurations for ssh configs 2023-08-11 11:36:08 -04:00
Daniel Micay
1173060c25 ssh: switch to AES256-GCM to use AES-NI 2023-07-22 16:39:37 -04:00
Daniel Micay
8a1cab9071 add SSH client configuration 2023-07-13 11:41:59 -04:00
Daniel Micay
39ec27f421 move ssh configuration to subdirectory 2023-06-06 15:18:19 -04:00