Implement connection rate limiting

2024-07-17 23:17:21 +02:00 · 2024-07-17 23:17:21 +02:00 · 37221ed58d
commit 37221ed58d
parent 6295e55eb8
1 changed files with 27 additions and 0 deletions
--- a/modules/sshd.nix
+++ b/modules/sshd.nix
@ -1,4 +1,5 @@
 { lib
+, config
 , ...
 }:

@ -31,4 +32,30 @@
    ];
    authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
  };
+
+  networking.nftables.tables."nixos-fw".content = lib.mkOrder 20 ''
+    set ssh-ratelimit-v4 {
+      type ipv4_addr
+      timeout 60s
+      flags dynamic
+    }
+
+    set ssh-ratelimit-v6 {
+      type ipv6_addr
+      timeout 60s
+      flags dynamic
+    }
+  '';
+
+  # Implement connection rate limit
+  services.openssh.openFirewall = false;
+  networking.firewall.extraInputRules = lib.mkOrder 5 (
+    let
+      ports = builtins.concatStringsSep ", " (map builtins.toString config.services.openssh.ports);
+    in
+    ''
+      tcp dport { ${ports} } update @ssh-ratelimit-v4 { ip saddr limit rate 1/second burst 10 packets } accept
+      tcp dport { ${ports} } update @ssh-ratelimit-v6 { ip6 saddr limit rate 1/second burst 10 packets } accept
+    ''
+  );
 }