Compare commits
No commits in common. "45708b28a0d97553d605648f3c1796e218643ee1" and "b23946b81c664f50076ac839d0a39d1f57aa546b" have entirely different histories.
45708b28a0
...
b23946b81c
|
@ -8,9 +8,26 @@ sudo systemctl enable iptables
|
||||||
|
|
||||||
## Apply and Report Rate Limits
|
## Apply and Report Rate Limits
|
||||||
|
|
||||||
The `ratelimit.rules` file adds new chains to
|
The `ratelimit.rules` file adds new chains to rate limit subnets.
|
||||||
limit the rate of new connections based on /16 subnets.
|
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
sudo iptables-restore -n < ratelimit.rules
|
sudo iptables-restore -n < ratelimit.rules
|
||||||
|
|
||||||
|
# Common offenders
|
||||||
|
sudo iptables -t raw -A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_DEFAULT
|
||||||
|
sudo iptables -t raw -A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_DEFAULT
|
||||||
|
sudo iptables -t raw -A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_DEFAULT
|
||||||
|
|
||||||
|
# Default action
|
||||||
|
sudo iptables -t raw -A RATELIMIT_DEFAULT -p tcp --tcp-flags SYN,ACK SYN \
|
||||||
|
-m hashlimit --hashlimit-name drop_4h \
|
||||||
|
--hashlimit-above 4/hour --hashlimit-burst 2 \
|
||||||
|
--hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j DROP
|
||||||
|
|
||||||
|
# Log potential offenders
|
||||||
|
sudo iptables -t raw -A RATELIMIT_REPORT -p tcp --tcp-flags SYN,ACK SYN \
|
||||||
|
-m hashlimit --hashlimit-name report1 \
|
||||||
|
--hashlimit-above 1/second --hashlimit-burst 4 \
|
||||||
|
--hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j LOG \
|
||||||
|
--log-level 5 --log-prefix "ratelimit report1 "
|
||||||
```
|
```
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
*raw
|
*raw
|
||||||
:RATELIMIT -
|
:RATELIMIT -
|
||||||
:RATELIMIT_ENFORCE -
|
|
||||||
:RATELIMIT_REPORT -
|
:RATELIMIT_REPORT -
|
||||||
:RATELIMIT_SUBNET -
|
:RATELIMIT_SUBNET -
|
||||||
|
:RATELIMIT_DEFAULT -
|
||||||
|
|
||||||
-I PREROUTING -p tcp --tcp-flags SYN,ACK SYN -j RATELIMIT
|
-I PREROUTING -j RATELIMIT
|
||||||
|
|
||||||
-A RATELIMIT -s 127.0.0.0/8 -j RETURN
|
-A RATELIMIT -s 127.0.0.0/8 -j RETURN
|
||||||
-A RATELIMIT -s 10.0.0.0/8 -j RETURN
|
-A RATELIMIT -s 10.0.0.0/8 -j RETURN
|
||||||
|
@ -13,12 +13,4 @@
|
||||||
-A RATELIMIT -j RATELIMIT_SUBNET
|
-A RATELIMIT -j RATELIMIT_SUBNET
|
||||||
-A RATELIMIT -j RATELIMIT_REPORT
|
-A RATELIMIT -j RATELIMIT_REPORT
|
||||||
|
|
||||||
-A RATELIMIT_ENFORCE -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip,dstport --hashlimit-name enforce --hashlimit-srcmask 16 -j DROP
|
|
||||||
|
|
||||||
-A RATELIMIT_REPORT -m hashlimit --hashlimit-above 1/min --hashlimit-burst 6 --hashlimit-mode srcip,dstport --hashlimit-name report1 --hashlimit-srcmask 16 -j LOG --log-prefix "ratelimit report1 " --log-level 5
|
|
||||||
|
|
||||||
-A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_ENFORCE
|
|
||||||
-A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_ENFORCE
|
|
||||||
-A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_ENFORCE
|
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
|
@ -9,12 +9,12 @@ REPO=sftp:backup-user@example.com:repo
|
||||||
bunzip2 restic*.bz2
|
bunzip2 restic*.bz2
|
||||||
sudo cp restic* /usr/local/bin/restic
|
sudo cp restic* /usr/local/bin/restic
|
||||||
|
|
||||||
echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /root/restic-cmd
|
echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /usr/local/bin/restic-cmd
|
||||||
sudo chmod +x /root/restic-cmd
|
sudo chmod +x /usr/local/bin/restic-cmd
|
||||||
|
|
||||||
cat /dev/urandom | base64 | head -c 64 | sudo tee /root/backup-key
|
cat /dev/urandom | base64 | head -c 64 | sudo tee /root/backup-key
|
||||||
sudo chmod 600 /root/backup-key
|
sudo chmod 600 /root/backup-key
|
||||||
|
|
||||||
sudo /root/restic-cmd init
|
sudo restic-cmd init
|
||||||
sudo crontab crontab
|
sudo crontab crontab
|
||||||
```
|
```
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
48 * * * * /root/restic-cmd backup -q --exclude-if-present .nobackup /data
|
48 * * * * /usr/local/bin/restic-cmd backup -q --exclude-if-present .nobackup /data
|
||||||
18 3 * * * /root/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100
|
18 3 * * * /usr/local/bin/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100
|
||||||
|
|
|
@ -3,9 +3,6 @@ Port 22222
|
||||||
AllowUsers sshlogin git backup-*
|
AllowUsers sshlogin git backup-*
|
||||||
ClientAliveInterval 10
|
ClientAliveInterval 10
|
||||||
|
|
||||||
LoginGraceTime 10
|
|
||||||
MaxAuthTries 2
|
|
||||||
|
|
||||||
Match User backup-*
|
Match User backup-*
|
||||||
ForceCommand internal-sftp
|
ForceCommand internal-sftp
|
||||||
ChrootDirectory %h
|
ChrootDirectory %h
|
||||||
|
|
Loading…
Reference in New Issue