From a559e98d82e850cb39e244c26639223b2211e121 Mon Sep 17 00:00:00 2001 From: Jared Vititoe Date: Sat, 18 Apr 2026 13:39:03 -0400 Subject: [PATCH] Security hardening: TURN peer restriction, TCP relay, rate limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - coturn allowed-peer-ip scoped from 10.10.10.0/24 → 10.10.10.29 only (prevents TURN relay being used to reach other internal LXCs) - coturn no-tcp-relay=true (UDP only; TCP relay was an SSRF vector) - Added rc_joins (local: 0.1/s burst 3, remote: 0.01/s burst 3) - Added rc_joins_per_room (1/s burst 3) - Added rc_invites (per_room: 0.3/s burst 10, per_user: 0.003/s burst 5) Co-Authored-By: Claude Sonnet 4.6 --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 518faff..fedf4a6 100644 --- a/README.md +++ b/README.md @@ -455,8 +455,10 @@ Periodic `TLS/TCP socket error: Connection reset by peer` in coturn logs. Normal ### Hardening - [x] Rate limiting - [x] E2EE on all rooms (except Spam and Stuff — intentional for hookshot) -- [x] coturn internal peer deny rules (blocks relay to RFC1918 except allowed subnet) +- [x] coturn internal peer deny rules (blocks relay to RFC1918; `allowed-peer-ip` scoped to 10.10.10.29 only — LiveKit host) +- [x] coturn TCP relay disabled (`no-tcp-relay=true`) — UDP only, reduces internal network SSRF risk - [x] coturn hardening: `stale-nonce=600`, `user-quota=100`, `total-quota=1000`, strong cipher list +- [x] `rc_joins` and `rc_invites` rate limits explicitly set in homeserver.yaml - [x] `pg_hba.conf` locked down — remote access restricted to Synapse LXC only - [x] Federation open with key verification - [x] fail2ban on Synapse login endpoint (5 retries / 24h ban)