diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-07-19 14:39:45 +0000 |
|---|---|---|
| committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-07-19 14:39:45 +0000 |
| commit | cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5 (patch) | |
| tree | 76fb06848729084eadf364d17a28e048657211de /data | |
| parent | 64cc7d7e3b9e2f0f8e16cb95272336062700b91f (diff) | |
| download | vyos-1x-cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5.tar.gz vyos-1x-cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5.zip | |
sshguard: T5354: Add service ssh dynamic-protection
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/ssh/sshguard_config.tmpl | 27 | ||||
| -rw-r--r-- | data/templates/ssh/sshguard_whitelist.tmpl | 7 |
2 files changed, 34 insertions, 0 deletions
diff --git a/data/templates/ssh/sshguard_config.tmpl b/data/templates/ssh/sshguard_config.tmpl new file mode 100644 index 000000000..fbcbac908 --- /dev/null +++ b/data/templates/ssh/sshguard_config.tmpl @@ -0,0 +1,27 @@ +### Autogenerated by ssh.py ### + +{% if dynamic_protection is defined and dynamic_protection is not none %} +# Full path to backend executable (required, no default) +BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets" + +# Shell command that provides logs on standard output. (optional, no default) +# Example 1: ssh and sendmail from systemd journal: +LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -o cat" + +#### OPTIONS #### +# Block attackers when their cumulative attack score exceeds THRESHOLD. +# Most attacks have a score of 10. (optional, default 30) +THRESHOLD={{ dynamic_protection.threshold }} + +# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. +# Subsequent blocks increase by a factor of 1.5. (optional, default 120) +BLOCK_TIME={{ dynamic_protection.block_time }} + +# Remember potential attackers for up to DETECTION_TIME seconds before +# resetting their score. (optional, default 1800) +DETECTION_TIME={{ dynamic_protection.detect_time }} + +# IP addresses listed in the WHITELIST_FILE are considered to be +# friendlies and will never be blocked. +WHITELIST_FILE=/etc/sshguard/whitelist +{% endif %} diff --git a/data/templates/ssh/sshguard_whitelist.tmpl b/data/templates/ssh/sshguard_whitelist.tmpl new file mode 100644 index 000000000..c972ec343 --- /dev/null +++ b/data/templates/ssh/sshguard_whitelist.tmpl @@ -0,0 +1,7 @@ +### Autogenerated by ssh.py ### + +{% if dynamic_protection.allow_from is defined and dynamic_protection.allow_from is not none %} +{% for address in dynamic_protection.allow_from %} +{{ address }} +{% endfor %} +{% endif %} |