diff options
author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2022-05-30 14:15:57 +0300 |
---|---|---|
committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2022-05-30 14:15:57 +0300 |
commit | 85eb5e124f11c891470bf83a0096188b2196c457 (patch) | |
tree | 7e215d370e5b5918f6b5ddc40f0af556a2f3cb85 /docs/configuration/service | |
parent | 590ab57d307e3162ece29e7b39b6df0c8a1c56d7 (diff) | |
download | vyos-documentation-85eb5e124f11c891470bf83a0096188b2196c457.tar.gz vyos-documentation-85eb5e124f11c891470bf83a0096188b2196c457.zip |
sshguard: Add ssh dynamic-protection
Diffstat (limited to 'docs/configuration/service')
-rw-r--r-- | docs/configuration/service/ssh.rst | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index ad410a3c..baf17035 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -109,6 +109,36 @@ Configuration Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. +Dynamic-protection +================== +Protects host from brute-force attacks against +SSH. Log messages are parsed, line-by-line, for recognized patterns. If an +attack, such as several login failures within a few seconds, is detected, the +offending IP is blocked. Offenders are unblocked after a set interval. + +.. cfgcmd:: set service ssh dynamic-protection + + Allow ``ssh`` dynamic-protection. + +.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix> + + Whitelist of addresses and networks. Always allow inbound connections from + these systems. + +.. cfgcmd:: set service ssh dynamic-protection block-time <sec> + + Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 + The default is 120. + +.. cfgcmd:: set service ssh dynamic-protection detect-time <sec> + + Remember source IP in seconds before reset their score. The default is 1800. + +.. cfgcmd:: set service ssh dynamic-protection threshold <sec> + + Block source IP when their cumulative attack score exceeds threshold. The + default is 30. + Operation ========= |