summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Matthias Lucas Jaros <jarlucmat@mailbox.org>2025-11-15 11:29:43 +0100
committerGravatar Matthias Lucas Jaros <jarlucmat@mailbox.org>2025-11-15 11:29:43 +0100
commita8504dd5efa4df7c813adfda16630660a694718a (patch)
tree11ce8d275a5b125e3abd41404a08e1e7c78b2e90
parent2b3c73728b9b748295e69a5fe4ad05c5b04408cb (diff)
Removed deprecated settings, added DisableForwarding which sets multiple at once and disabled also tunnels. Furthermore added penalties for sources that spam the server and allow only 3 unauthenticated connections per source
-rw-r--r--src/ssh.conf25
1 files changed, 18 insertions, 7 deletions
diff --git a/src/ssh.conf b/src/ssh.conf
index 9683ef8..a703087 100644
--- a/src/ssh.conf
+++ b/src/ssh.conf
@@ -14,20 +14,31 @@ ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND"
# no password brute force
PubkeyAuthentication yes
PasswordAuthentication no
-AuthenticationMethods publickey
KbdInteractiveAuthentication no
-ChallengeResponseAuthentication no
# no forwarding and tunneling
-AllowTcpForwarding no
-AllowAgentForwarding no
-X11Forwarding no
+DisableForwarding yes
+PermitTunnel no
+
+# ddos protection: default params here for clarity
+# after 10 unauthenticated connections start dropping randomly
+# with 30% chance new connections till 100
+# then reject every new connection attempt
+MaxStartups 10:30:100
+
+# max 3 unauthenticated per IP
+PerSourceMaxStartups 3
+
+# Garbage collection of unauthenticated connections
+LoginGraceTime 10
# Limit authentication tries per connection
MaxAuthTries 3
-# Do not wait too long for authentication
-LoginGraceTime 10
+# penalties
+# we are quite harsh here because bots usually annoy for multiple
+# days with many requests, so let them accumulate it up to a day
+PerSourcePenalties max:1d crash:1d grace-exceeded:30s noauth:10s authfail:10s
# Point keys to shared data dir to avoid regenerating them each time
HostKey /var/ssh/etc/ssh/ssh_host_rsa_key