From cd6f7994a9c5d6501ce56b57362c7f33f64fa3d5 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Wed, 19 Jul 2023 14:39:45 +0000 Subject: sshguard: T5354: Add service ssh dynamic-protection Sshguard protects hosts from brute-force attacks It can inspect logs and block "bad" addresses by threshold Auto-generates own tables and rules for nftables, so they are not intercept with VyOS firewall rules. When service stops, all generated tables are deleted. set service ssh dynamic-protection set service ssh dynamic-protection allow-from '192.0.2.1' set service ssh dynamic-protection block-time '120' set service ssh dynamic-protection detect-time '1800' set service ssh dynamic-protection threshold '30' --- interface-definitions/ssh.xml.in | 72 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) (limited to 'interface-definitions/ssh.xml.in') diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index 867037295..65d8a368e 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -61,6 +61,78 @@ + + + Allow dynamic protection + + + + + Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 + + u32:1-65535 + Time interval in seconds for blocking + + + + + + 120 + + + + Remember source IP in seconds before reset their score + + u32:1-65535 + Time interval in seconds + + + + + + 1800 + + + + Block source IP when their cumulative attack score exceeds threshold + + u32:1-65535 + Threshold score + + + + + + 30 + + + + Always allow inbound connections from these systems + + ipv4 + Address to match against + + + ipv4net + IPv4 address and prefix length + + + ipv6 + IPv6 address to match against + + + ipv6net + IPv6 address and prefix length + + + + + + + + + + Allowed key exchange (KEX) algorithms -- cgit v1.2.3