From d1cebc658174a16014c2a3847bdf55bb3553b7fb Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Sat, 7 Feb 2026 19:58:55 +0800
Subject: more robust for ssh floods

---
 README             | 59 ---------------------------------------------------
 docs               | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 sshd_config        |  4 ++++
 start_container.sh |  2 ++
 4 files changed, 68 insertions(+), 59 deletions(-)
 delete mode 100644 README
 create mode 100644 docs

diff --git a/README b/README
deleted file mode 100644
index c71655b..0000000
--- a/README
+++ /dev/null
@@ -1,59 +0,0 @@
-CGIT CONTAINER
-
-Cgit with automatic HTTPS (cgit + caddy + Let's Encrypt).
-
-Requirements:
-    - Public IPv4 address
-    - Domain pointing to the IP
-    - /git directory for bare repos
-
-Host setup (one-time):
-    cat > /etc/sysctl.d/99-container-routing.conf << 'EOF'
-    net.ipv4.ip_forward=1
-    net.ipv4.conf.enp1s0.proxy_arp=1
-    EOF
-    sysctl -p /etc/sysctl.d/99-container-routing.conf
-    mkdir -p /git/.ssh
-
-Run:
-    ./start_container.sh
-
-Run (manual):
-    podman run -d \
-        --name cgit \
-        --network public-routed \
-        --ip 10.89.0.2 \
-        --cap-add=NET_ADMIN \
-        --env-file config.env \
-        -v cgit_data:/data \
-        -v /git:/git \
-        localhost/cgit
-
-    sleep 2
-    podman exec cgit ip addr add 37.27.166.242/32 dev eth0
-    ip route add 37.27.166.242/32 via 10.89.0.2
-
-SSH keys:
-    Drop .pub files in /git/.ssh/, they're combined into authorized_keys on run.
-
-Create repo:
-    git init --bare /git/myrepo
-
-Restart:
-    podman restart cgit
-
-Stop:
-    podman stop cgit && podman rm cgit && ip route del 37.27.166.242/32
-
-Cleanup:
-    podman stop cgit
-    podman rm cgit
-    podman volume rm cgit_data
-    ip route del 37.27.166.242/32
-    podman network rm public-routed    # only if no other containers use it
-
-Logs:
-    podman logs -f cgit
-
-Shell:
-    podman exec -it cgit sh
diff --git a/docs b/docs
new file mode 100644
index 0000000..89d3373
--- /dev/null
+++ b/docs
@@ -0,0 +1,62 @@
+CGIT CONTAINER
+
+Cgit with automatic HTTPS (cgit + caddy + Let's Encrypt).
+
+Requirements:
+    - Public IPv4 address
+    - Domain pointing to the IP
+    - /git directory for bare repos
+
+Host setup (one-time):
+    cat > /etc/sysctl.d/99-container-routing.conf << 'EOF'
+    net.ipv4.ip_forward=1
+    net.ipv4.conf.enp1s0.proxy_arp=1
+    EOF
+    sysctl -p /etc/sysctl.d/99-container-routing.conf
+    mkdir -p /git/.ssh
+
+Run:
+    ./start_container.sh
+
+Run (manual):
+    podman run -d \
+        --name cgit \
+        --network public-routed \
+        --ip 10.89.0.2 \
+        --cap-add=NET_ADMIN \
+        --env-file config.env \
+        -v cgit_data:/data \
+        -v /git:/git \
+        localhost/cgit
+
+    sleep 2
+    podman exec cgit ip addr add 37.27.166.242/32 dev eth0
+    ip route add 37.27.166.242/32 via 10.89.0.2
+
+SSH keys:
+    Drop .pub files in /git/.ssh/, they're combined into authorized_keys on run.
+
+Create repo:
+    git init --bare /git/myrepo
+
+Restart:
+    podman restart cgit
+
+Stop:
+    podman stop cgit && podman rm cgit && ip route del 37.27.166.242/32
+
+Cleanup:
+    podman stop cgit
+    podman rm cgit
+    podman volume rm cgit_data
+    ip route del 37.27.166.242/32
+    podman network rm public-routed    # only if no other containers use it
+
+Logs:
+    podman logs -f cgit
+
+Processes:
+    podman exec cgit ps aux
+
+Shell:
+    podman exec -it cgit sh
diff --git a/sshd_config b/sshd_config
index ab4c469..5d31e36 100644
--- a/sshd_config
+++ b/sshd_config
@@ -3,4 +3,8 @@ PermitRootLogin prohibit-password
 PasswordAuthentication no
 PubkeyAuthentication yes
 AuthorizedKeysFile /git/.ssh/authorized_keys
+# Max 3 concurrent unauthenticated connections, drop 50% above that, hard cap at 10
+MaxStartups 3:50:10
+# Kill unauthenticated connections after 15 seconds
+LoginGraceTime 15
 Subsystem sftp /usr/lib/ssh/sftp-server
diff --git a/start_container.sh b/start_container.sh
index 25fcb10..2299390 100755
--- a/start_container.sh
+++ b/start_container.sh
@@ -33,6 +33,7 @@ podman run -d \
     --network ${NETWORK} \
     --ip ${PRIVATE_IP} \
     --cap-add=NET_ADMIN \
+    --pids-limit=100 \
     --env-file "$(dirname "$0")/config.env" \
     -v ${CONTAINER_NAME}_data:/data \
     -v /git:/git \
@@ -40,6 +41,7 @@ podman run -d \
 
 # Setup public IP
 sleep 2
+# Get the container's network interface name (e.g. eth0)
 IFACE=$(podman exec ${CONTAINER_NAME} sh -c "ip -o link | grep -v lo | head -1 | cut -d: -f2 | tr -d ' ' | cut -d@ -f1")
 podman exec ${CONTAINER_NAME} ip addr add ${PUBLIC_IP}/32 dev ${IFACE}
 ip route add ${PUBLIC_IP}/32 via ${PRIVATE_IP}
-- 
cgit