summaryrefslogtreecommitdiff
path: root/data/templates/ssh
AgeCommit message (Collapse)Author
2023-07-19sshguard: T5354: Add service ssh dynamic-protectionViacheslav Hletenko
Sshguard protects hosts from brute-force attacks It can inspect logs and block "bad" addresses by threshold Auto-generates own tables and rules for nftables, so they are not intercept with VyOS firewall rules. When service stops, all generated tables are deleted. set service ssh dynamic-protection set service ssh dynamic-protection allow-from '192.0.2.1' set service ssh dynamic-protection block-time '120' set service ssh dynamic-protection detect-time '1800' set service ssh dynamic-protection threshold '30'
2021-01-18ssh: T3212: remove RestartPreventExitStatus from systemd unitChristian Poessinger
When configuring SSH to only run inside a given VRF the system can not start SSHd on bootup as the Kernel will report EPERM (Operation not permitted) when loading the VRF BPF program. This returns the exit code 255 which is marked in the systemd unit file to stop restarting the service forever. Removing this limitation will restart the SSHd on startup and it will live inside the VRF till the end of days. (cherry picked from commit cdbac8f10b470a06aff54832da7f006aa3ed194e)
2021-01-13ssh: T3212: do not make /run/sshd directory disappear on failureChristian Poessinger
(cherry picked from commit 57fca79636b783dc4be2df1bc1ff12a0ce79d988)
2021-01-07ssh: T2635: harden Jinja2 template and daemon startupChristian Poessinger
2021-01-07ssh: T2635: change sshd_config path to /run/sshdChristian Poessinger
2020-08-31T2636: remove workarounds for get_config_dict()Christian Poessinger
Now that b40c52682a256 ("config: T2636: get_config_dict() returns a list on multi node by default") is implemented the workarounds can be removed.
2020-08-03ssh: T1076: make configuration volatileChristian Poessinger
Move sshd_config file to /run so it must be generated on every boot and is not stored accidently.
2020-07-07ssh: T2691: bugfix loglevel config migrationChristian Poessinger
When migrating the conf from VyOS 1.2 to 1.3 a configuration error could appear if the user specified "info" as loglevel instead of "INFO". There was no input validation done in 1.2 but this is now enforced in 1.3. In VyOS 1.3 loglevel will be always lowercase on the CLI and when migrating the config this is transformed. Also VyOS 1.2 accpeted any arbitrary loglevel. If an invalid loglevel is found it will be set to info.
2020-07-04ssh: vrf: T2682: support restart on failure indefinitelyChristian Poessinger
Linux tries to bind sshd to the VRF but it is yet not ready - for any arbitrary reason. After restarting SSH to often (rate-limiting) it is blocked by systemd. Using Restart/RestartSec is not enough - systemd services use start rate limiting (enabled by default). If service is started more than StartLimitBurst times in StartLimitIntervalSec seconds is it not permitted to start any more. Parameters are inherited from DefaultStartLimitIntervalSec (default 10s) and DefaultStartLimitBurst (default 5).
2020-07-04ssh: T2682: simplify VRF bindingChristian Poessinger
2020-06-26ssh: T2642: bugfix on multiple listen-address statementsChristian Poessinger
Commit 1d7f88b459d ("ssh: T2635: migrate to get_config_dict()") used a wrong loop iterator on the rendered ListenAddress statement.
2020-06-23ssh: T2635: migrate to get_config_dict()Christian Poessinger
Jinja template contains some workarounds like {% if port is string %}, this depends of the resolution of https://phabricator.vyos.net/T2636
2020-06-11ssh: T2321: add VRF supportChristian Poessinger
2020-05-29ssh: T2230: remove duplicated HostKey lineChristian Poessinger
2020-04-05ssh: T2230: move inlined templates to dedicated filesChristian Poessinger
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 07:45:33 +0000