Compare commits

..

No commits in common. "45708b28a0d97553d605648f3c1796e218643ee1" and "b23946b81c664f50076ac839d0a39d1f57aa546b" have entirely different histories.

5 changed files with 26 additions and 20 deletions

View File

@ -8,9 +8,26 @@ sudo systemctl enable iptables
## Apply and Report Rate Limits ## Apply and Report Rate Limits
The `ratelimit.rules` file adds new chains to The `ratelimit.rules` file adds new chains to rate limit subnets.
limit the rate of new connections based on /16 subnets.
```sh ```sh
sudo iptables-restore -n < ratelimit.rules sudo iptables-restore -n < ratelimit.rules
# Common offenders
sudo iptables -t raw -A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_DEFAULT
sudo iptables -t raw -A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_DEFAULT
sudo iptables -t raw -A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_DEFAULT
# Default action
sudo iptables -t raw -A RATELIMIT_DEFAULT -p tcp --tcp-flags SYN,ACK SYN \
-m hashlimit --hashlimit-name drop_4h \
--hashlimit-above 4/hour --hashlimit-burst 2 \
--hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j DROP
# Log potential offenders
sudo iptables -t raw -A RATELIMIT_REPORT -p tcp --tcp-flags SYN,ACK SYN \
-m hashlimit --hashlimit-name report1 \
--hashlimit-above 1/second --hashlimit-burst 4 \
--hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j LOG \
--log-level 5 --log-prefix "ratelimit report1 "
``` ```

View File

@ -1,10 +1,10 @@
*raw *raw
:RATELIMIT - :RATELIMIT -
:RATELIMIT_ENFORCE -
:RATELIMIT_REPORT - :RATELIMIT_REPORT -
:RATELIMIT_SUBNET - :RATELIMIT_SUBNET -
:RATELIMIT_DEFAULT -
-I PREROUTING -p tcp --tcp-flags SYN,ACK SYN -j RATELIMIT -I PREROUTING -j RATELIMIT
-A RATELIMIT -s 127.0.0.0/8 -j RETURN -A RATELIMIT -s 127.0.0.0/8 -j RETURN
-A RATELIMIT -s 10.0.0.0/8 -j RETURN -A RATELIMIT -s 10.0.0.0/8 -j RETURN
@ -13,12 +13,4 @@
-A RATELIMIT -j RATELIMIT_SUBNET -A RATELIMIT -j RATELIMIT_SUBNET
-A RATELIMIT -j RATELIMIT_REPORT -A RATELIMIT -j RATELIMIT_REPORT
-A RATELIMIT_ENFORCE -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip,dstport --hashlimit-name enforce --hashlimit-srcmask 16 -j DROP
-A RATELIMIT_REPORT -m hashlimit --hashlimit-above 1/min --hashlimit-burst 6 --hashlimit-mode srcip,dstport --hashlimit-name report1 --hashlimit-srcmask 16 -j LOG --log-prefix "ratelimit report1 " --log-level 5
-A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_ENFORCE
-A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_ENFORCE
-A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_ENFORCE
COMMIT COMMIT

View File

@ -9,12 +9,12 @@ REPO=sftp:backup-user@example.com:repo
bunzip2 restic*.bz2 bunzip2 restic*.bz2
sudo cp restic* /usr/local/bin/restic sudo cp restic* /usr/local/bin/restic
echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /root/restic-cmd echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /usr/local/bin/restic-cmd
sudo chmod +x /root/restic-cmd sudo chmod +x /usr/local/bin/restic-cmd
cat /dev/urandom | base64 | head -c 64 | sudo tee /root/backup-key cat /dev/urandom | base64 | head -c 64 | sudo tee /root/backup-key
sudo chmod 600 /root/backup-key sudo chmod 600 /root/backup-key
sudo /root/restic-cmd init sudo restic-cmd init
sudo crontab crontab sudo crontab crontab
``` ```

View File

@ -1,2 +1,2 @@
48 * * * * /root/restic-cmd backup -q --exclude-if-present .nobackup /data 48 * * * * /usr/local/bin/restic-cmd backup -q --exclude-if-present .nobackup /data
18 3 * * * /root/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100 18 3 * * * /usr/local/bin/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100

View File

@ -3,9 +3,6 @@ Port 22222
AllowUsers sshlogin git backup-* AllowUsers sshlogin git backup-*
ClientAliveInterval 10 ClientAliveInterval 10
LoginGraceTime 10
MaxAuthTries 2
Match User backup-* Match User backup-*
ForceCommand internal-sftp ForceCommand internal-sftp
ChrootDirectory %h ChrootDirectory %h