Security hardening: TURN peer restriction, TCP relay, rate limits
- coturn allowed-peer-ip scoped from 10.10.10.0/24 → 10.10.10.29 only (prevents TURN relay being used to reach other internal LXCs) - coturn no-tcp-relay=true (UDP only; TCP relay was an SSRF vector) - Added rc_joins (local: 0.1/s burst 3, remote: 0.01/s burst 3) - Added rc_joins_per_room (1/s burst 3) - Added rc_invites (per_room: 0.3/s burst 10, per_user: 0.003/s burst 5) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -455,8 +455,10 @@ Periodic `TLS/TCP socket error: Connection reset by peer` in coturn logs. Normal
|
|||||||
### Hardening
|
### Hardening
|
||||||
- [x] Rate limiting
|
- [x] Rate limiting
|
||||||
- [x] E2EE on all rooms (except Spam and Stuff — intentional for hookshot)
|
- [x] E2EE on all rooms (except Spam and Stuff — intentional for hookshot)
|
||||||
- [x] coturn internal peer deny rules (blocks relay to RFC1918 except allowed subnet)
|
- [x] coturn internal peer deny rules (blocks relay to RFC1918; `allowed-peer-ip` scoped to 10.10.10.29 only — LiveKit host)
|
||||||
|
- [x] coturn TCP relay disabled (`no-tcp-relay=true`) — UDP only, reduces internal network SSRF risk
|
||||||
- [x] coturn hardening: `stale-nonce=600`, `user-quota=100`, `total-quota=1000`, strong cipher list
|
- [x] coturn hardening: `stale-nonce=600`, `user-quota=100`, `total-quota=1000`, strong cipher list
|
||||||
|
- [x] `rc_joins` and `rc_invites` rate limits explicitly set in homeserver.yaml
|
||||||
- [x] `pg_hba.conf` locked down — remote access restricted to Synapse LXC only
|
- [x] `pg_hba.conf` locked down — remote access restricted to Synapse LXC only
|
||||||
- [x] Federation open with key verification
|
- [x] Federation open with key verification
|
||||||
- [x] fail2ban on Synapse login endpoint (5 retries / 24h ban)
|
- [x] fail2ban on Synapse login endpoint (5 retries / 24h ban)
|
||||||
|
|||||||
Reference in New Issue
Block a user