| Age | Commit message (Collapse) | Author |
|---|
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
After hardning the regex validator to be preceeded with ^ and ending with $
it was no longer possible to have a comma separated list as SSH ciphers. The
migrations cript is altered to migrate the previous comma separated list
to individual multi node entries - cipher and key-exchange always had been
multinodes - so this just re-arranges some values and does not break CLI
compatibility
(cherry picked from commit 61fa1c95164e4222e79b078b1a796f41397e0ee3)
|
|
(cherry picked from commit 794f193d11c8c1b5fed78f4e40280480446ab593)
|
|
(cherry picked from commit 0a8a0188033d6b27c521f082fdddae9873dd5d3d)
|
|
(cherry picked from commit 556e03922f78f8e258c6d6630ad47569be376e11)
|
|
|
|
As the amount of include files now has reached a certain amount, it is getting
more and more crowsded, thuse introducing "per topic" subdirectories on the
filesystem to keep a clean structure makes sense.
|
|
(cherry picked from commit 57fca79636b783dc4be2df1bc1ff12a0ce79d988)
|
|
This will render the completion help more nicely.
|
|
|
|
When migrating the conf from VyOS 1.2 to 1.3 a configuration error could appear
if the user specified "info" as loglevel instead of "INFO". There was no input
validation done in 1.2 but this is now enforced in 1.3.
In VyOS 1.3 loglevel will be always lowercase on the CLI and when migrating the
config this is transformed. Also VyOS 1.2 accpeted any arbitrary loglevel. If
an invalid loglevel is found it will be set to info.
|
|
Jinja template contains some workarounds like {% if port is string %}, this
depends of the resolution of https://phabricator.vyos.net/T2636
|
|
|
|
SSH mac, ciper and key exchange algorithms are not ynamically and only change
on distro upgrades. Thus it is easier to have them in a list and use a regex
based constraint. In the past users could have entered anything here!
|
|
|
|
|
|
... as the carrot is applied automatically when reading in the XML
definition. Auto replaced by:
$ find interface-definitions -type f | xargs sed -i 's/regex>^/regex>/'
|
|
A lot of XML code is duplicated (VLAN, interface address) for instance. Such
XML definitions should be moved to feature.xml.i files and then just pulled in
via GCC preprocessor #include definition in e.g. bond or ethernet definitions.
This will give us the ability to single-source repeating node definitions as:
* Interface Address
* Interface Description
* Interface Disable
* VLAN (both vif-s and vif-c)
The .in suffix of the interface-definitions is a marker that those files are
input files to the GCC preprocessor. They will be rendered into proper XML
files in the build directory.
Some node definitions have been reworder to remove escaped double quote
occurances which would have been warned about by the GCC preprocessor.
|
