diff --git a/iptables/README.md b/iptables/README.md index fc67e5c..3e2a65d 100644 --- a/iptables/README.md +++ b/iptables/README.md @@ -8,9 +8,26 @@ sudo systemctl enable iptables ## Apply and Report Rate Limits -The `ratelimit.rules` file adds new chains to -limit the rate of new connections based on /16 subnets. +The `ratelimit.rules` file adds new chains to rate limit subnets. ```sh sudo iptables-restore -n < ratelimit.rules + +# Common offenders +sudo iptables -t raw -A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_DEFAULT +sudo iptables -t raw -A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_DEFAULT +sudo iptables -t raw -A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_DEFAULT + +# Default action +sudo iptables -t raw -A RATELIMIT_DEFAULT -p tcp --tcp-flags SYN,ACK SYN \ + -m hashlimit --hashlimit-name drop_4h \ + --hashlimit-above 4/hour --hashlimit-burst 2 \ + --hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j DROP + +# Log potential offenders +sudo iptables -t raw -A RATELIMIT_REPORT -p tcp --tcp-flags SYN,ACK SYN \ + -m hashlimit --hashlimit-name report1 \ + --hashlimit-above 1/second --hashlimit-burst 4 \ + --hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j LOG \ + --log-level 5 --log-prefix "ratelimit report1 " ``` diff --git a/iptables/ratelimit.rules b/iptables/ratelimit.rules index db4319f..e7dfdc9 100644 --- a/iptables/ratelimit.rules +++ b/iptables/ratelimit.rules @@ -1,10 +1,10 @@ *raw :RATELIMIT - -:RATELIMIT_ENFORCE - :RATELIMIT_REPORT - :RATELIMIT_SUBNET - +:RATELIMIT_DEFAULT - --I PREROUTING -p tcp --tcp-flags SYN,ACK SYN -j RATELIMIT +-I PREROUTING -j RATELIMIT -A RATELIMIT -s 127.0.0.0/8 -j RETURN -A RATELIMIT -s 10.0.0.0/8 -j RETURN @@ -13,12 +13,4 @@ -A RATELIMIT -j RATELIMIT_SUBNET -A RATELIMIT -j RATELIMIT_REPORT --A RATELIMIT_ENFORCE -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip,dstport --hashlimit-name enforce --hashlimit-srcmask 16 -j DROP - --A RATELIMIT_REPORT -m hashlimit --hashlimit-above 1/min --hashlimit-burst 6 --hashlimit-mode srcip,dstport --hashlimit-name report1 --hashlimit-srcmask 16 -j LOG --log-prefix "ratelimit report1 " --log-level 5 - --A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_ENFORCE --A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_ENFORCE --A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_ENFORCE - COMMIT diff --git a/restic/README.md b/restic/README.md index 2f94664..3cbb4ee 100644 --- a/restic/README.md +++ b/restic/README.md @@ -9,12 +9,12 @@ REPO=sftp:backup-user@example.com:repo bunzip2 restic*.bz2 sudo cp restic* /usr/local/bin/restic -echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /root/restic-cmd -sudo chmod +x /root/restic-cmd +echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /usr/local/bin/restic-cmd +sudo chmod +x /usr/local/bin/restic-cmd cat /dev/urandom | base64 | head -c 64 | sudo tee /root/backup-key sudo chmod 600 /root/backup-key -sudo /root/restic-cmd init +sudo restic-cmd init sudo crontab crontab ``` diff --git a/restic/crontab b/restic/crontab index 5d2bebc..69bc4f2 100644 --- a/restic/crontab +++ b/restic/crontab @@ -1,2 +1,2 @@ -48 * * * * /root/restic-cmd backup -q --exclude-if-present .nobackup /data -18 3 * * * /root/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100 +48 * * * * /usr/local/bin/restic-cmd backup -q --exclude-if-present .nobackup /data +18 3 * * * /usr/local/bin/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100 diff --git a/ssh/sshd_config b/ssh/sshd_config index fb33505..4db04db 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -3,9 +3,6 @@ Port 22222 AllowUsers sshlogin git backup-* ClientAliveInterval 10 -LoginGraceTime 10 -MaxAuthTries 2 - Match User backup-* ForceCommand internal-sftp ChrootDirectory %h