01/01: hydra: bayfront: Throttle SSH connection attempts.

[Ludovic Courtès]

civodul pushed a commit to branch master
in repository maintenance.

commit 2159d95219e72c8bd7edbd991355b79c45b7af86
Author: Ludovic Courtès <address@hidden>
Date:   Wed Jun 14 11:15:35 2017 +0200

    hydra: bayfront: Throttle SSH connection attempts.
    
    * hydra/bayfront.scm (start-firewall, firewall-service): New variables.
    (operating-system)[services]: Add FIREWALL-SERVICE.
---
 hydra/bayfront.scm | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index 7186d30..bfce3a1 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -1,7 +1,7 @@
 ;; OS configuration for bayfront, the frontend of the compile farm.
 
 (use-modules (gnu) (guix) (sysadmin people))
-(use-service-modules base networking admin mcron ssh web cuirass)
+(use-service-modules base networking admin mcron shepherd ssh web cuirass)
 (use-package-modules admin linux ssh tls vim package-management web wget ci)
 
 (define %sysadmins
@@ -42,6 +42,38 @@
                     "--cache-failures"
                     "--gc-keep-outputs" "--gc-keep-derivations"))))
 
+(define start-firewall
+  ;; Rules to throttle malicious SSH connection attempts.  This will allow at
+  ;; most 3 connections per minute from any host, and will block the host for
+  ;; another minute if this rate is exceeded.  Taken from
+  ;; <http://www.la-samhna.de/library/brutessh.html#3>.
+  #~(let ((iptables
+           (lambda (str)
+             (zero? (apply system*
+                           #$(file-append iptables
+                                          "/sbin/iptables")
+                           (string-tokenize str))))))
+      (format #t "Installing iptables SSH rules...~%")
+      (and (iptables "-A INPUT -p tcp --dport 22 -m state \
+  --state NEW -m recent --set --name SSH -j ACCEPT")
+           (iptables "-A INPUT -p tcp --dport 22 -m recent \
+  --update --seconds 60 --hitcount 4 --rttl \
+  --name SSH -j LOG --log-prefix SSH_brute_force")
+           (iptables "-A INPUT -p tcp --dport 22 -m recent \
+  --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP"))))
+
+(define firewall-service
+  ;; The "firewall".  Make it a Shepherd service because as an activation
+  ;; script it might run too early, before the Netfilter modules can be
+  ;; loaded for some reason.
+  (simple-service 'firewall shepherd-root-service-type
+                  (list (shepherd-service
+                         (provision '(firewall))
+                         (requirement '())
+                         (start #~(lambda ()
+                                    #$start-firewall))
+                         (respawn? #f)))))
+
 
 ;;;
 ;;; NGINX.
@@ -219,6 +251,8 @@ Happy hacking!\n"))
                             (mcron-configuration
                              (jobs (list %gc-job %certbot-job))))
 
+                   firewall-service
+
                   (modify-services %base-services
                     ;; Disable substitutes altogether.
                     (guix-service-type config => %guix-daemon-config)