jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Implement connection rate limiting

Browse source
This commit is contained in:
Jakob Lechner 2024-07-17 23:17:21 +02:00
parent 6295e55eb8
commit 37221ed58d
1 changed files with 27 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

27
modules/sshd.nix
View file

@ -1,4 +1,5 @@
{ lib { lib
, config
, ... , ...
}: }:
@ -31,4 +32,30 @@
]; ];
authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ]; authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
}; };
networking.nftables.tables."nixos-fw".content = lib.mkOrder 20 ''
set ssh-ratelimit-v4 {
type ipv4_addr
timeout 60s
flags dynamic
}
set ssh-ratelimit-v6 {
type ipv6_addr
timeout 60s
flags dynamic
}
'';
# Implement connection rate limit
services.openssh.openFirewall = false;
networking.firewall.extraInputRules = lib.mkOrder 5 (
let
ports = builtins.concatStringsSep ", " (map builtins.toString config.services.openssh.ports);
in
''
tcp dport { ${ports} } update @ssh-ratelimit-v4 { ip saddr limit rate 1/second burst 10 packets } accept
tcp dport { ${ports} } update @ssh-ratelimit-v6 { ip6 saddr limit rate 1/second burst 10 packets } accept
''
);
} }