commit 994464f8380634a1f5e730cf386e8510674eab87 parent bb753d39b5516c9d95466d9dcc4255b1bfd3891e Author: Matthias Jaros <jaros@mailbox.org> Date: Sat, 15 Nov 2025 11:29:43 +0100 Removed deprecated settings, added DisableForwarding which sets multiple at once and disabled also tunnels. Furthermore added penalties for sources that spam the server and allow only 3 unauthenticated connections per source Diffstat:
| M | src/ssh.conf | | | 25 | ++++++++++++++++++------- |
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/src/ssh.conf b/src/ssh.conf @@ -14,20 +14,31 @@ ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND" # no password brute force PubkeyAuthentication yes PasswordAuthentication no -AuthenticationMethods publickey KbdInteractiveAuthentication no -ChallengeResponseAuthentication no # no forwarding and tunneling -AllowTcpForwarding no -AllowAgentForwarding no -X11Forwarding no +DisableForwarding yes +PermitTunnel no + +# ddos protection: default params here for clarity +# after 10 unauthenticated connections start dropping randomly +# with 30% chance new connections till 100 +# then reject every new connection attempt +MaxStartups 10:30:100 + +# max 3 unauthenticated per IP +PerSourceMaxStartups 3 + +# Garbage collection of unauthenticated connections +LoginGraceTime 10 # Limit authentication tries per connection MaxAuthTries 3 -# Do not wait too long for authentication -LoginGraceTime 10 +# penalties +# we are quite harsh here because bots usually annoy for multiple +# days with many requests, so let them accumulate it up to a day +PerSourcePenalties max:1d crash:1d grace-exceeded:30s noauth:10s authfail:10s # Point keys to shared data dir to avoid regenerating them each time HostKey /var/ssh/etc/ssh/ssh_host_rsa_key