commit d602c28df62107528867d15f3ecf659e585bff5b
author Serge Bazanski <q3k@hackerspace.pl> Thu Oct 28 21:10:47 2021 +0200
committer q3k <q3k@hackerspace.pl> Mon Dec 13 22:30:46 2021 +0000
tree 097637ed5db14f55f3e8ff6ca890b36388d893b8
parent 82fc1318e28804614275bf053b1efbaa4cad0416

bgpwtf: fixup ssh problems

This makes our routers less likely to reject connections when they're
being bruteforced: first, by disabling password auth (which we don't
use, anyway), second by making connection limits a bit less draconian.

Change-Id: I4e1e3b0be85dd5ad07a10610ca28a6f094249d8c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1174
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: implr <implr@hackerspace.pl>

bgpwtf/machines/modules/router.nix

diff --git a/bgpwtf/machines/modules/router.nix b/bgpwtf/machines/modules/router.nix
index bdd5336..953b277 100644
--- a/bgpwtf/machines/modules/router.nix
+++ b/bgpwtf/machines/modules/router.nix
@@ -51,6 +51,13 @@
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
+  services.openssh.passwordAuthentication = false;
+  # Allow for slightly more unauthenticated connections between dropping them,
+  # otherwise public bruteforcing will cause DoS preventing actual users from
+  # logging in.
+  services.openssh.extraConfig = ''
+    MaxStartups 100:30:1000
+  '';
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia"
     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQb3YQoiYFZLKwvHYKbu1bMqzNeDCAszQhAe1+QI5SLDOotclyY/vFmOReZOsmyMFl71G2d7d+FbYNusUnNNjTxRYQ021tVc+RkMdLJaORRURmQfEFEKbai6QSFTwErXzuoIzyEPK0lbsQuGgqT9WaVnRzHJ2Q/4+qQbxAS34PuR5NqEkmn4G6LMo3OyJ5mwPkCj9lsqz4BcxRaMWFO3mNcwGDfSW+sqgc3E8N6LKrTpZq3ke7xacpQmcG5DU9VO+2QVPdltl9jWbs3gXjmF92YRNOuKPVfAOZBBsp8JOznfx8s9wDgs7RwPmDpjIAJEyoABqW5hlXfqRbTnfnMvuR informatic@InformaticPC"