From cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Wed, 19 Jul 2023 14:39:45 +0000
Subject: sshguard: T5354: Add service ssh dynamic-protection

Sshguard protects hosts from brute-force attacks
It can inspect logs and block "bad" addresses by threshold
Auto-generates own tables and rules for nftables, so they are not
intercept with VyOS firewall rules.
When service stops, all generated tables are deleted.

set service ssh dynamic-protection
set service ssh dynamic-protection allow-from '192.0.2.1'
set service ssh dynamic-protection block-time '120'
set service ssh dynamic-protection detect-time '1800'
set service ssh dynamic-protection threshold '30'
---
 data/templates/ssh/sshguard_config.tmpl    | 27 +++++++++++++++++++++++++++
 data/templates/ssh/sshguard_whitelist.tmpl |  7 +++++++
 2 files changed, 34 insertions(+)
 create mode 100644 data/templates/ssh/sshguard_config.tmpl
 create mode 100644 data/templates/ssh/sshguard_whitelist.tmpl

(limited to 'data/templates')

diff --git a/data/templates/ssh/sshguard_config.tmpl b/data/templates/ssh/sshguard_config.tmpl
new file mode 100644
index 000000000..fbcbac908
--- /dev/null
+++ b/data/templates/ssh/sshguard_config.tmpl
@@ -0,0 +1,27 @@
+### Autogenerated by ssh.py ###
+
+{% if dynamic_protection is defined and dynamic_protection is not none %}
+# Full path to backend executable (required, no default)
+BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets"
+
+# Shell command that provides logs on standard output. (optional, no default)
+# Example 1: ssh and sendmail from systemd journal:
+LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -o cat"
+
+#### OPTIONS ####
+# Block attackers when their cumulative attack score exceeds THRESHOLD.
+# Most attacks have a score of 10. (optional, default 30)
+THRESHOLD={{ dynamic_protection.threshold }}
+
+# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
+# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
+BLOCK_TIME={{ dynamic_protection.block_time }}
+
+# Remember potential attackers for up to DETECTION_TIME seconds before
+# resetting their score. (optional, default 1800)
+DETECTION_TIME={{ dynamic_protection.detect_time }}
+
+# IP addresses listed in the WHITELIST_FILE are considered to be
+# friendlies and will never be blocked.
+WHITELIST_FILE=/etc/sshguard/whitelist
+{% endif %}
diff --git a/data/templates/ssh/sshguard_whitelist.tmpl b/data/templates/ssh/sshguard_whitelist.tmpl
new file mode 100644
index 000000000..c972ec343
--- /dev/null
+++ b/data/templates/ssh/sshguard_whitelist.tmpl
@@ -0,0 +1,7 @@
+### Autogenerated by ssh.py ###
+
+{% if dynamic_protection.allow_from is defined and dynamic_protection.allow_from is not none %}
+{%     for address in dynamic_protection.allow_from %}
+{{ address }}
+{%     endfor %}
+{% endif %}
-- 
cgit v1.2.3