From 94b7d30c02f9d3c592ae3c45c3515aaf4fef5419 Mon Sep 17 00:00:00 2001 From: oqyude Date: Mon, 13 Apr 2026 10:26:43 +0300 Subject: [PATCH] syn ddos defence --- configurations/vds.nix | 29 ++++++++++++++++++++++++++++- modules/essentials/packages.nix | 2 ++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/configurations/vds.nix b/configurations/vds.nix index 6f873ed..924f6f1 100644 --- a/configurations/vds.nix +++ b/configurations/vds.nix @@ -37,6 +37,12 @@ let }; systemd-boot.enable = lib.mkDefault false; }; + kernel.sysctl = { + "net.ipv4.tcp_syncookies" = 1; + "net.ipv4.tcp_max_syn_backlog" = 4096; + "net.ipv4.tcp_synack_retries" = 3; + "net.ipv4.tcp_syn_retries" = 3; + }; }; services = { @@ -67,7 +73,6 @@ let openFirewall = true; }; }; - networking = { nameservers = [ "1.1.1.1" @@ -88,6 +93,28 @@ let enable = true; allowPing = true; }; + nftables = { + enable = true; + ruleset = '' + table inet filter { + chain input { + type filter hook input priority 0; + + # loopback + iif lo accept + + # уже установленные + ct state established,related accept + + # РЕЖЕМ SYN СРАЗУ + tcp flags syn tcp dport {80,443} limit rate 20/second burst 40 packets accept + tcp flags syn tcp dport {80,443} drop + + # остальное по необходимости + } + } + ''; + }; enableIPv6 = true; interfaces.ens3 = { useDHCP = true; diff --git a/modules/essentials/packages.nix b/modules/essentials/packages.nix index a87e566..d2af48f 100644 --- a/modules/essentials/packages.nix +++ b/modules/essentials/packages.nix @@ -98,6 +98,8 @@ in devenv # Test + rgx + net-tools # lazydocker # dtop # framework-tool-tui