diff --git a/iptables/README.md b/iptables/README.md index 3e2a65d..fc67e5c 100644 --- a/iptables/README.md +++ b/iptables/README.md @@ -8,26 +8,9 @@ sudo systemctl enable iptables ## Apply and Report Rate Limits -The `ratelimit.rules` file adds new chains to rate limit subnets. +The `ratelimit.rules` file adds new chains to +limit the rate of new connections based on /16 subnets. ```sh sudo iptables-restore -n < ratelimit.rules - -# Common offenders -sudo iptables -t raw -A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_DEFAULT -sudo iptables -t raw -A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_DEFAULT -sudo iptables -t raw -A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_DEFAULT - -# Default action -sudo iptables -t raw -A RATELIMIT_DEFAULT -p tcp --tcp-flags SYN,ACK SYN \ - -m hashlimit --hashlimit-name drop_4h \ - --hashlimit-above 4/hour --hashlimit-burst 2 \ - --hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j DROP - -# Log potential offenders -sudo iptables -t raw -A RATELIMIT_REPORT -p tcp --tcp-flags SYN,ACK SYN \ - -m hashlimit --hashlimit-name report1 \ - --hashlimit-above 1/second --hashlimit-burst 4 \ - --hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j LOG \ - --log-level 5 --log-prefix "ratelimit report1 " ``` diff --git a/iptables/ratelimit.rules b/iptables/ratelimit.rules index e7dfdc9..db4319f 100644 --- a/iptables/ratelimit.rules +++ b/iptables/ratelimit.rules @@ -1,10 +1,10 @@ *raw :RATELIMIT - +:RATELIMIT_ENFORCE - :RATELIMIT_REPORT - :RATELIMIT_SUBNET - -:RATELIMIT_DEFAULT - --I PREROUTING -j RATELIMIT +-I PREROUTING -p tcp --tcp-flags SYN,ACK SYN -j RATELIMIT -A RATELIMIT -s 127.0.0.0/8 -j RETURN -A RATELIMIT -s 10.0.0.0/8 -j RETURN @@ -13,4 +13,12 @@ -A RATELIMIT -j RATELIMIT_SUBNET -A RATELIMIT -j RATELIMIT_REPORT +-A RATELIMIT_ENFORCE -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip,dstport --hashlimit-name enforce --hashlimit-srcmask 16 -j DROP + +-A RATELIMIT_REPORT -m hashlimit --hashlimit-above 1/min --hashlimit-burst 6 --hashlimit-mode srcip,dstport --hashlimit-name report1 --hashlimit-srcmask 16 -j LOG --log-prefix "ratelimit report1 " --log-level 5 + +-A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_ENFORCE +-A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_ENFORCE +-A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_ENFORCE + COMMIT diff --git a/restic/README.md b/restic/README.md index 3cbb4ee..2f94664 100644 --- a/restic/README.md +++ b/restic/README.md @@ -9,12 +9,12 @@ REPO=sftp:backup-user@example.com:repo bunzip2 restic*.bz2 sudo cp restic* /usr/local/bin/restic -echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /usr/local/bin/restic-cmd -sudo chmod +x /usr/local/bin/restic-cmd +echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /root/restic-cmd +sudo chmod +x /root/restic-cmd cat /dev/urandom | base64 | head -c 64 | sudo tee /root/backup-key sudo chmod 600 /root/backup-key -sudo restic-cmd init +sudo /root/restic-cmd init sudo crontab crontab ``` diff --git a/restic/crontab b/restic/crontab index 69bc4f2..5d2bebc 100644 --- a/restic/crontab +++ b/restic/crontab @@ -1,2 +1,2 @@ -48 * * * * /usr/local/bin/restic-cmd backup -q --exclude-if-present .nobackup /data -18 3 * * * /usr/local/bin/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100 +48 * * * * /root/restic-cmd backup -q --exclude-if-present .nobackup /data +18 3 * * * /root/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100 diff --git a/ssh/sshd_config b/ssh/sshd_config index 4db04db..fb33505 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -3,6 +3,9 @@ Port 22222 AllowUsers sshlogin git backup-* ClientAliveInterval 10 +LoginGraceTime 10 +MaxAuthTries 2 + Match User backup-* ForceCommand internal-sftp ChrootDirectory %h