summaryrefslogtreecommitdiff
path: root/src/ssh.conf
diff options
context:
space:
mode:
Diffstat (limited to 'src/ssh.conf')
-rw-r--r--src/ssh.conf25
1 files changed, 18 insertions, 7 deletions
diff --git a/src/ssh.conf b/src/ssh.conf
index 9683ef8..a703087 100644
--- a/src/ssh.conf
+++ b/src/ssh.conf
@@ -14,20 +14,31 @@ ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND"
# no password brute force
PubkeyAuthentication yes
PasswordAuthentication no
-AuthenticationMethods publickey
KbdInteractiveAuthentication no
-ChallengeResponseAuthentication no
# no forwarding and tunneling
-AllowTcpForwarding no
-AllowAgentForwarding no
-X11Forwarding no
+DisableForwarding yes
+PermitTunnel no
+
+# ddos protection: default params here for clarity
+# after 10 unauthenticated connections start dropping randomly
+# with 30% chance new connections till 100
+# then reject every new connection attempt
+MaxStartups 10:30:100
+
+# max 3 unauthenticated per IP
+PerSourceMaxStartups 3
+
+# Garbage collection of unauthenticated connections
+LoginGraceTime 10
# Limit authentication tries per connection
MaxAuthTries 3
-# Do not wait too long for authentication
-LoginGraceTime 10
+# penalties
+# we are quite harsh here because bots usually annoy for multiple
+# days with many requests, so let them accumulate it up to a day
+PerSourcePenalties max:1d crash:1d grace-exceeded:30s noauth:10s authfail:10s
# Point keys to shared data dir to avoid regenerating them each time
HostKey /var/ssh/etc/ssh/ssh_host_rsa_key