mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 13:45:02 -05:00
cd59960e7b
We use synproxy for establishing all new connections to the SSH port and enforce a connection limit between synproxy and the standard network stack. Once the connection limit is reached, it's also enforced for new connections at the synproxy layer. This avoids creating conntrack and connection limit set entries until connections are already established to avoid packets with spoofed source addresses exhausting these limited size tables. Primary servers using SSH to mirror TLS certificates to their replicas are allowlisted. |
||
---|---|---|
.. | ||
ssh_config | ||
sshd_config |