From cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Wed, 19 Jul 2023 14:39:45 +0000 Subject: sshguard: T5354: Add service ssh dynamic-protection Sshguard protects hosts from brute-force attacks It can inspect logs and block "bad" addresses by threshold Auto-generates own tables and rules for nftables, so they are not intercept with VyOS firewall rules. When service stops, all generated tables are deleted. set service ssh dynamic-protection set service ssh dynamic-protection allow-from '192.0.2.1' set service ssh dynamic-protection block-time '120' set service ssh dynamic-protection detect-time '1800' set service ssh dynamic-protection threshold '30' --- data/templates/ssh/sshguard_whitelist.tmpl | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 data/templates/ssh/sshguard_whitelist.tmpl (limited to 'data/templates/ssh/sshguard_whitelist.tmpl') diff --git a/data/templates/ssh/sshguard_whitelist.tmpl b/data/templates/ssh/sshguard_whitelist.tmpl new file mode 100644 index 000000000..c972ec343 --- /dev/null +++ b/data/templates/ssh/sshguard_whitelist.tmpl @@ -0,0 +1,7 @@ +### Autogenerated by ssh.py ### + +{% if dynamic_protection.allow_from is defined and dynamic_protection.allow_from is not none %} +{% for address in dynamic_protection.allow_from %} +{{ address }} +{% endfor %} +{% endif %} -- cgit v1.2.3