Age | Commit message (Collapse) | Author |
|
Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.
set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
|
|
(cherry picked from commit 57fca79636b783dc4be2df1bc1ff12a0ce79d988)
|
|
|
|
|
|
|
|
Commit a1327d2b970 ("ssh: T2635: reuse common verify_vrf() function") already
moved to the common verify logic but did not remove the no longer needed import
statement.
|
|
|
|
|
|
Move sshd_config file to /run so it must be generated on every boot and is
not stored accidently.
|
|
|
|
Jinja template contains some workarounds like {% if port is string %}, this
depends of the resolution of https://phabricator.vyos.net/T2636
|
|
|
|
Commit 5deb12c509be ("ssh: T2321: add VRF support") restructured the Port
assignment (cleanup from the early days) but it accesses a string with methods
used for a list, resulting in the funny default port 2.
|
|
|
|
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
|
|
convert all call to jinja to use template.render
|
|
os.system does print the ouput of the command, run() does not.
A new function called call() does the printing and return the error code.
|
|
As little change a possible but the function call
The behaviour should be totally unchanged.
|
|
|
|
|
|
* 'current' of github.com:vyos/vyos-1x:
T1749: support multiple ranges in the numeric validator.
dhcp-server: T1745: bugfix corner case on static-assignments
system-proxy: T1741 - Add system wide proxy setting
wireguard - remove endpoint check to enable roaming connections
system-proxy: T1741 - Add system wide proxy setting CLI implementation
Python/ifconfig: T1712: always start DHCP when configured
Python/ifconfig: T1557: get_status() must use admin state not operstate
bgp: T1490: fix migrator file permissions
snmp: T1737: add missing completion helpers
Revert "Python/ifconfig: T1712: wait when changing interface state"
snmpd: T1705 - High CPU usage by bgpd when snmp is active
Revert "snmpd: T1705 - High CPU usage by bgpd when snmp is active"
openvpn: T1548: clean out import statements
ssh.py: check if file exists before deleting it
[BGP] T1490: Added migration for obsoleted 'bgp scan-time' parameter
|
|
|
|
* Deprecated option since openssh 7.5 UsePrivilegeSeparation, KeyRegenerationInterval,
ServerKeyBits, RSAAuthentication, RhostsRSAAuthentication
|
|
|
|
Add option to specify multiple listening ports
Clean up template generation layout
|
|
|
|
The setdefault() dict object method updates the value only if it's not
already set, so it's useless for what we want to do, despite its deceptive name.
|
|
|
|
This reverts commit d9474df03d47b20f06580c3b32aac69849162015.
|
|
with VyOS paths.
|