gitreef

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 994464f8380634a1f5e730cf386e8510674eab87
parent bb753d39b5516c9d95466d9dcc4255b1bfd3891e
Author: Matthias Jaros <jaros@mailbox.org>
Date:   Sat, 15 Nov 2025 11:29:43 +0100

Removed deprecated settings, added DisableForwarding which sets multiple at once and disabled also tunnels. Furthermore added penalties for sources that spam the server and allow only 3 unauthenticated connections per source

Diffstat:
Msrc/ssh.conf | 25++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/ssh.conf b/src/ssh.conf @@ -14,20 +14,31 @@ ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND" # no password brute force PubkeyAuthentication yes PasswordAuthentication no -AuthenticationMethods publickey KbdInteractiveAuthentication no -ChallengeResponseAuthentication no # no forwarding and tunneling -AllowTcpForwarding no -AllowAgentForwarding no -X11Forwarding no +DisableForwarding yes +PermitTunnel no + +# ddos protection: default params here for clarity +# after 10 unauthenticated connections start dropping randomly +# with 30% chance new connections till 100 +# then reject every new connection attempt +MaxStartups 10:30:100 + +# max 3 unauthenticated per IP +PerSourceMaxStartups 3 + +# Garbage collection of unauthenticated connections +LoginGraceTime 10 # Limit authentication tries per connection MaxAuthTries 3 -# Do not wait too long for authentication -LoginGraceTime 10 +# penalties +# we are quite harsh here because bots usually annoy for multiple +# days with many requests, so let them accumulate it up to a day +PerSourcePenalties max:1d crash:1d grace-exceeded:30s noauth:10s authfail:10s # Point keys to shared data dir to avoid regenerating them each time HostKey /var/ssh/etc/ssh/ssh_host_rsa_key