VyOS command definitions, scripts, and utilities (mirror of https://github.com/marekm72/vyos-1x.git) https://git.amelek.net/marekm72/vyos-1x.git/atom?h=1.3.8 2023-11-20T17:07:11+00:00 2023-11-20T17:07:11+00:00 zsdc taras@vyos.io 2023-09-26T08:27:07+00:00 urn:sha1:d7457268fcaa5626e512eb00a9aab36f4a617f28 - Added system `radius` group - Added `mandatory` and `optional` modes for RADIUS - Improved PAM config for RADIUS New modes: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. 2023-07-19T14:39:45+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2023-07-19T14:39:45+00:00 urn:sha1:cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5 Sshguard protects hosts from brute-force attacks It can inspect logs and block "bad" addresses by threshold Auto-generates own tables and rules for nftables, so they are not intercept with VyOS firewall rules. When service stops, all generated tables are deleted. set service ssh dynamic-protection set service ssh dynamic-protection allow-from '192.0.2.1' set service ssh dynamic-protection block-time '120' set service ssh dynamic-protection detect-time '1800' set service ssh dynamic-protection threshold '30' 2023-05-04T19:41:40+00:00 zsdc taras@vyos.io 2023-05-04T19:41:40+00:00 urn:sha1:748199b10df112cba0821703001c0307e325bd90 Added a new service that starts before Cloud-init, waits for all network interfaces initialization, and if requested by config, checks which interfaces can get configuration via DHCP server and creates a corresponding Cloud-init network configuration. This protects from two situations: * when Cloud-init tries to get meta-data via eth0 (default and fallback variant for any data source which depends on network), but the real network is connected to another interface * when Cloud-init starts simultaneously with udev and initializes the first interface to get meta-data before it is renamed to eth0 by udev 2023-02-04T12:26:28+00:00 Christian Breunig christian@breunig.cc 2023-02-04T12:23:00+00:00 urn:sha1:ae9dde044f0a60c9034874b2912729ed694f5375 (cherry picked from commit 29a44a73c638cb22839aa32986de367231b6efe9) 2022-12-31T07:18:59+00:00 Christian Poessinger christian@poessinger.com 2022-12-31T07:18:59+00:00 urn:sha1:5e305d7a173864add90ff3cff0cc839aed0dccdd Dependency is required for the test Docker OCI image used within the smoketest framework 2022-12-30T21:28:25+00:00 Christian Poessinger christian@poessinger.com 2022-12-30T21:23:05+00:00 urn:sha1:0c8b53e6f7a94e914a7815328bbd16c0b3943d40 2022-11-15T05:56:56+00:00 Yuxiang Zhu vfreex@gmail.com 2022-11-14T02:23:46+00:00 urn:sha1:ff901a52bb9acd4bdd0e3a96033c896e4667a6af This is a backport of https://github.com/vyos/vyos-1x/pull/1656. Note I also changed `ip-down.script.tmpl` to not wait for `systemctl stop dhcp6c@$iface.service`, because that command is slow and pppd will kill the ip-down script if it times out. I didn't see `ip-down.script.tmpl` or its equivalent in the 1.4 branch. Not sure if there is another mechanism to handle that functionality or it is missed. 2022-08-16T06:24:21+00:00 Christian Poessinger christian@poessinger.com 2022-08-16T06:23:06+00:00 urn:sha1:6b3c359ed0995d26626ddfc1cbf131e75bff74cc (cherry picked from commit 681bdf2946d1d10f3b432f70452a8d018b7a98ae) 2022-04-03T07:19:18+00:00 Christian Poessinger christian@poessinger.com 2022-04-02T12:38:11+00:00 urn:sha1:7091d0b54f21caf85ea86d2542d9bec4b5fd1afb (cherry picked from commit 5faeacd1111a83e5859b98ccc4193cb6017cdba8) 2022-03-05T19:54:15+00:00 Christian Poessinger christian@poessinger.com 2022-03-05T19:51:13+00:00 urn:sha1:0aa13010b1a013edc3c3a89a007108dfbb82bdad (cherry picked from commit aa8080d316dbeb4d26bf67f6d67efeda43b2bc07)