alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c820a41e90fb5a6b9038644d428d4145284f27a
alknet/tasks/server/rate-limiting-and-logging.md
glm-5.1 5c820a41e9 tasks: decompose Phase 0a ADR foundation and mark prior tasks completed 
Add 10 new tasks under tasks/architecture/ for Phase 0a (ADR writing):
- 9 ADR tasks (026-034) with dependency-ordered structure
- 1 review checkpoint task before Phase 0b spec writing

ADR dependency graph (3 generations):
  Gen 1 (parallel): 026, 029, 030, 031, 032, 034
  Gen 2 (depends on 029): 027, 028
  Gen 3 (depends on 027+028): 033
  Gen 4: review checkpoint

Also mark all 34 prior implementation tasks as completed — they
were finished but still showing as pending in the taskgraph.
2026-06-07 08:55:33 +00:00

2.3 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
server/rate-limiting-and-logging Implement server rate limiting and fail2ban-friendly structured logging completed
server/handler
narrow low component implementation

Description

Implement the two-layer abuse protection per ADR-013:

  1. Structured logging at INFO level for fail2ban integration: auth attempts (remote_addr, user, key_fingerprint, accept/reject), connection opened/closed (remote_addr, transport, duration)
  2. Built-in rate limiting: --max-connections-per-ip (reject new connections from IPs with N active connections), --max-auth-attempts (disconnect after N failed auth attempts per connection)

No logging of tunnel destinations, DNS resolutions, or bytes transferred (ADR-006).

Acceptance Criteria

  • crates/alknet-core/src/server/rate_limit.rs exports connection rate limiter
  • ConnectionRateLimiter tracks active connections per IP using HashMap<IpAddr, usize>
  • ConnectionRateLimiter::check(ip) -> bool — returns true if connection allowed, false if over limit
  • ConnectionRateLimiter::on_connect(ip) — increment counter
  • ConnectionRateLimiter::on_disconnect(ip) — decrement counter
  • AuthAttemptLimiter tracks failed auth attempts per connection
  • AuthAttemptLimiter::check() -> bool — returns true if under limit
  • AuthAttemptLimiter::on_failure() — increment failure counter
  • Structured tracing::info! logging on: auth attempt, connection opened, connection closed
  • Log format includes key-value pairs: remote_addr, user, key_fingerprint, result, transport, duration
  • No logging of: channel open targets, DNS resolutions, bytes transferred
  • Integration with ServerHandler: rate limiter checked before auth, auth attempt limiter checked during auth
  • Unit tests: connection limit enforced, auth attempt limit enforced, log format verification

References

  • docs/architecture/server.md — Logging and Rate Limiting section
  • docs/architecture/decisions/013-fail2ban-friendly-logging.md — logging format, rate limiting flags
  • docs/architecture/decisions/006-no-logging-of-tunnel-destinations.md — no destination logging

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink