From f5e0f2932e9a4f05bc267fbbf9c554e237cb91ba Mon Sep 17 00:00:00 2001 From: Ben Wolsieffer Date: Sun, 15 Nov 2020 20:37:17 -0500 Subject: [PATCH] sshd: disable trigger limit for systemd socket When startWhenNeeded is enabled, a brute force attack on sshd will cause systemd to shut down the socket, locking out all SSH access to the machine. Setting TriggerLimitIntervalSec to 0 disables this behavior. --- nixos/modules/services/networking/ssh/sshd.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 004b4f99670f..f19624aba022 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -480,6 +480,8 @@ in else cfg.ports; socketConfig.Accept = true; + # Prevent brute-force attacks from shutting down socket + socketConfig.TriggerLimitIntervalSec = 0; }; services."sshd@" = service;