Update

iptables/README.md

@@ -8,26 +8,9 @@ sudo systemctl enable iptables
 
 ## Apply and Report Rate Limits
 
-The `ratelimit.rules` file adds new chains to rate limit subnets.
+The `ratelimit.rules` file adds new chains to
+limit the rate of new connections based on /16 subnets.
 
 ```sh
 sudo iptables-restore -n < ratelimit.rules
-
-# Common offenders
-sudo iptables -t raw -A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_DEFAULT
-sudo iptables -t raw -A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_DEFAULT
-sudo iptables -t raw -A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_DEFAULT
-
-# Default action
-sudo iptables -t raw -A RATELIMIT_DEFAULT -p tcp --tcp-flags SYN,ACK SYN \
- -m hashlimit --hashlimit-name drop_4h \
- --hashlimit-above 4/hour --hashlimit-burst 2 \
- --hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j DROP
-
-# Log potential offenders
-sudo iptables -t raw -A RATELIMIT_REPORT -p tcp --tcp-flags SYN,ACK SYN \
- -m hashlimit --hashlimit-name report1 \
- --hashlimit-above 1/second --hashlimit-burst 4 \
- --hashlimit-mode srcip,dstport --hashlimit-srcmask 16 -j LOG \
- --log-level 5 --log-prefix "ratelimit report1 "
 ```

iptables/ratelimit.rules

@@ -1,10 +1,10 @@
 *raw
 :RATELIMIT -
+:RATELIMIT_ENFORCE -
 :RATELIMIT_REPORT -
 :RATELIMIT_SUBNET -
-:RATELIMIT_DEFAULT -
 
--I PREROUTING -j RATELIMIT
+-I PREROUTING -p tcp --tcp-flags SYN,ACK SYN -j RATELIMIT
 
 -A RATELIMIT -s 127.0.0.0/8 -j RETURN
 -A RATELIMIT -s 10.0.0.0/8 -j RETURN
@@ -13,4 +13,12 @@
 -A RATELIMIT -j RATELIMIT_SUBNET
 -A RATELIMIT -j RATELIMIT_REPORT
 
+-A RATELIMIT_ENFORCE -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip,dstport --hashlimit-name enforce --hashlimit-srcmask 16 -j DROP
+
+-A RATELIMIT_REPORT -m hashlimit --hashlimit-above 1/min --hashlimit-burst 6 --hashlimit-mode srcip,dstport --hashlimit-name report1 --hashlimit-srcmask 16 -j LOG --log-prefix "ratelimit report1 " --log-level 5
+
+-A RATELIMIT_SUBNET -s 185.0.0.0/8 -j RATELIMIT_ENFORCE
+-A RATELIMIT_SUBNET -s 45.0.0.0/8 -j RATELIMIT_ENFORCE
+-A RATELIMIT_SUBNET -s 193.0.0.0/8 -j RATELIMIT_ENFORCE
+
 COMMIT

restic/README.md

@@ -9,12 +9,12 @@ REPO=sftp:backup-user@example.com:repo
 bunzip2 restic*.bz2
 sudo cp restic* /usr/local/bin/restic
 
-echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /usr/local/bin/restic-cmd
+echo 'nice /usr/local/bin/restic -r' "$REPO" '-p /root/backup-key "$@"' | sudo tee /root/restic-cmd
-sudo chmod +x /usr/local/bin/restic-cmd
+sudo chmod +x /root/restic-cmd
 
 cat /dev/urandom | base64 | head -c 64 | sudo tee /root/backup-key
 sudo chmod 600 /root/backup-key
 
-sudo restic-cmd init
+sudo /root/restic-cmd init
 sudo crontab crontab
 ```

restic/crontab

@@ -1,2 +1,2 @@
-48 *	* * *	/usr/local/bin/restic-cmd backup -q --exclude-if-present .nobackup /data
+48 *	* * *	/root/restic-cmd backup -q --exclude-if-present .nobackup /data
-18 3	* * *	/usr/local/bin/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100
+18 3	* * *	/root/restic-cmd forget -q --keep-tag keep -H 24 -d 7 -m 12 -y 100

ssh/sshd_config

@@ -3,6 +3,9 @@ Port 22222
 AllowUsers sshlogin git backup-*
 ClientAliveInterval 10
 
+LoginGraceTime 10
+MaxAuthTries 2
+
 Match User backup-*
 	ForceCommand internal-sftp
 	ChrootDirectory %h