Skip to content

Incoming Connections

bruckins edited this page Oct 1, 2025 · 1 revision

The SSH Proxy runs as multiple instances within the Kubernetes cluster. Each instance listens on a TCP port (default: 2022), which is exposed externally as TCP/22 through a LoadBalancer service. When SSH Proxy receives a new connection and forking is enabled, it spawns a child process to handle the connection.

Because TCP/22 is a common public entry point, it is frequently targeted by automated bots and attackers attempting to gain unauthorized access using various usernames and authentication methods. To mitigate this risk, the external TCP/22 endpoint should be protected with security mechanisms capable of blocking incoming connections once suspicious activity or defined thresholds are detected. To support this requirement, the SSH Proxy publishes details of failed authentication attempts via the NATS messaging middleware, including the client IP address, username used and the reason for the failure.

Note that the SSH Proxy runs inside the Kubernetes cluster and cannot directly determine the real client IP from the TCP socket. Instead, this information is provided through the PROXY protocol, which must be injected into the TCP connection by the external load balancer at the entrypoint.

The diagram below describes the incoming connections to the SSH Proxy.

sequenceDiagram
    autonumber
    participant A as Client
    participant LB as Load Balancer
    participant P as SSH Proxy
    participant N as NATS
    participant S as SSH Shield

    note over A,S: Failed Authentication Flow

    A->>LB: SSH connection attempt
    LB->>P: Forward connection
    note right of LB: PROXY protocol: client IP
    
    P->>P: Parse PROXY protocol to extract client IP
    P->>A: SSH handshake
    A->>P: Authentication attempt

    P-->>A: Authentication fails
    P->>N: Publish failed auth event
    note right of P: Event: client IP<br/>username, reason
    N->>S: Deliver failed auth event
    S->>LB: Update firewall rules

    note over A,S: Subsequent Connection Attempt (Blocked IP)

    A->>LB: New SSH connection attempt
    LB->>LB: Check firewall rules
    LB-->>A: Connection rejected (IP blocked)    
Loading

For more details on how SSH Shield blocks the IP addresses, see SSH Shield service.

Clone this wiki locally