alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
596c89ce24ac5974512a57ccd0380bde81818af8
alknet/tasks/server/rate-limiting-and-logging.md
glm-5.1 596c89ce24 refactor!: rebrand wraith to alknet 
Rename all crates, CLI commands, constants, type names, doc comments,
and documentation from wraith to alknet. Includes wire-protocol changes:
ALPN wraith-ssh -> alknet-ssh, reserved destination prefix wraith- ->
alknet-, SSH auth username wraith -> alknet.
2026-06-05 10:04:32 +00:00

2.3 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
server/rate-limiting-and-logging Implement server rate limiting and fail2ban-friendly structured logging pending
server/handler
narrow low component implementation

Description

Implement the two-layer abuse protection per ADR-013:

  1. Structured logging at INFO level for fail2ban integration: auth attempts (remote_addr, user, key_fingerprint, accept/reject), connection opened/closed (remote_addr, transport, duration)
  2. Built-in rate limiting: --max-connections-per-ip (reject new connections from IPs with N active connections), --max-auth-attempts (disconnect after N failed auth attempts per connection)

No logging of tunnel destinations, DNS resolutions, or bytes transferred (ADR-006).

Acceptance Criteria

  • crates/alknet-core/src/server/rate_limit.rs exports connection rate limiter
  • ConnectionRateLimiter tracks active connections per IP using HashMap<IpAddr, usize>
  • ConnectionRateLimiter::check(ip) -> bool — returns true if connection allowed, false if over limit
  • ConnectionRateLimiter::on_connect(ip) — increment counter
  • ConnectionRateLimiter::on_disconnect(ip) — decrement counter
  • AuthAttemptLimiter tracks failed auth attempts per connection
  • AuthAttemptLimiter::check() -> bool — returns true if under limit
  • AuthAttemptLimiter::on_failure() — increment failure counter
  • Structured tracing::info! logging on: auth attempt, connection opened, connection closed
  • Log format includes key-value pairs: remote_addr, user, key_fingerprint, result, transport, duration
  • No logging of: channel open targets, DNS resolutions, bytes transferred
  • Integration with ServerHandler: rate limiter checked before auth, auth attempt limiter checked during auth
  • Unit tests: connection limit enforced, auth attempt limit enforced, log format verification

References

  • docs/architecture/server.md — Logging and Rate Limiting section
  • docs/architecture/decisions/013-fail2ban-friendly-logging.md — logging format, rate limiting flags
  • docs/architecture/decisions/006-no-logging-of-tunnel-destinations.md — no destination logging

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink