more robust for ssh floods

3 files changed, 9 insertions, 0 deletions

diff --git a/README b/docs
index c71655b..89d3373 100644
--- a/README
+++ b/docs
@@ -55,5 +55,8 @@ Cleanup:
 Logs:
     podman logs -f cgit
 
+Processes:
+    podman exec cgit ps aux
+
 Shell:
     podman exec -it cgit sh
diff --git a/sshd_config b/sshd_config
index ab4c469..5d31e36 100644
--- a/sshd_config
+++ b/sshd_config
@@ -3,4 +3,8 @@ PermitRootLogin prohibit-password
 PasswordAuthentication no
 PubkeyAuthentication yes
 AuthorizedKeysFile /git/.ssh/authorized_keys
+# Max 3 concurrent unauthenticated connections, drop 50% above that, hard cap at 10
+MaxStartups 3:50:10
+# Kill unauthenticated connections after 15 seconds
+LoginGraceTime 15
 Subsystem sftp /usr/lib/ssh/sftp-server
diff --git a/start_container.sh b/start_container.sh
index 25fcb10..2299390 100755
--- a/start_container.sh
+++ b/start_container.sh
@@ -33,6 +33,7 @@ podman run -d \
     --network ${NETWORK} \
     --ip ${PRIVATE_IP} \
     --cap-add=NET_ADMIN \
+    --pids-limit=100 \
     --env-file "$(dirname "$0")/config.env" \
     -v ${CONTAINER_NAME}_data:/data \
     -v /git:/git \
@@ -40,6 +41,7 @@ podman run -d \
 
 # Setup public IP
 sleep 2
+# Get the container's network interface name (e.g. eth0)
 IFACE=$(podman exec ${CONTAINER_NAME} sh -c "ip -o link | grep -v lo | head -1 | cut -d: -f2 | tr -d ' ' | cut -d@ -f1")
 podman exec ${CONTAINER_NAME} ip addr add ${PUBLIC_IP}/32 dev ${IFACE}
 ip route add ${PUBLIC_IP}/32 via ${PRIVATE_IP}