diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-07-19 14:39:45 +0000 |
|---|---|---|
| committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-07-19 14:39:45 +0000 |
| commit | cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5 (patch) | |
| tree | 76fb06848729084eadf364d17a28e048657211de /src/conf_mode | |
| parent | 64cc7d7e3b9e2f0f8e16cb95272336062700b91f (diff) | |
| download | vyos-1x-cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5.tar.gz vyos-1x-cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5.zip | |
sshguard: T5354: Add service ssh dynamic-protection
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/ssh.py | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index 8eeb0a7c1..f961d3671 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -31,6 +31,9 @@ airbag.enable() config_file = r'/run/sshd/sshd_config' systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf' +sshguard_config_file = '/etc/sshguard/sshguard.conf' +sshguard_whitelist = '/etc/sshguard/whitelist' + def get_config(config=None): if config: conf = config @@ -48,6 +51,11 @@ def get_config(config=None): # pass config file path - used in override template ssh['config_file'] = config_file + # Ignore default XML values if config doesn't exists + # Delete key from dict + if not conf.exists(base + ['dynamic-protection']): + del ssh['dynamic_protection'] + return ssh def verify(ssh): @@ -68,17 +76,27 @@ def generate(ssh): render(config_file, 'ssh/sshd_config.tmpl', ssh) render(systemd_override, 'ssh/override.conf.tmpl', ssh) + if 'dynamic_protection' in ssh: + render(sshguard_config_file, 'ssh/sshguard_config.tmpl', ssh) + render(sshguard_whitelist, 'ssh/sshguard_whitelist.tmpl', ssh) # Reload systemd manager configuration call('systemctl daemon-reload') return None def apply(ssh): + systemd_service_sshguard = 'sshguard.service' if not ssh: # SSH access is removed in the commit call('systemctl stop ssh.service') + call(f'systemctl stop {systemd_service_sshguard}') return None + if 'dynamic_protection' not in ssh: + call(f'systemctl stop {systemd_service_sshguard}') + else: + call(f'systemctl reload-or-restart {systemd_service_sshguard}') + call('systemctl restart ssh.service') return None |