summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorkroy <kroy@kroy.io>2019-09-19 11:33:13 -0500
committerkroy <kroy@kroy.io>2019-09-19 11:33:13 -0500
commitb0a96ec451ffe2104459e364767b8b5c6e2bc319 (patch)
treee164604ab99b03735cb66a1ee2850700ae8d960b /docs
parentbf3eeb0ab548c88f79103e5b2cb88639648368df (diff)
downloadvyos-documentation-b0a96ec451ffe2104459e364767b8b5c6e2bc319.tar.gz
vyos-documentation-b0a96ec451ffe2104459e364767b8b5c6e2bc319.zip
Overhauling and expanding quick start guide
Diffstat (limited to 'docs')
-rw-r--r--docs/quick-start.rst72
1 files changed, 59 insertions, 13 deletions
diff --git a/docs/quick-start.rst b/docs/quick-start.rst
index 226c81d0..ebe4d402 100644
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@@ -28,15 +28,10 @@ Enable SSH for remote management:
set service ssh port '22'
-Configure Source NAT for our "Inside" network.
-
-.. code-block:: sh
- set nat source rule 100 outbound-interface 'eth0'
- set nat source rule 100 source address '192.168.0.0/24'
- set nat source rule 100 translation address masquerade
-Configure a DHCP Server:
+Configure DHCP Server and DNS
+^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: sh
@@ -49,17 +44,27 @@ Configure a DHCP Server:
And a DNS forwarder:
-Please note that the `listen-on` statement is deprecated. Please use
-`listen-address` instead!
-
.. code-block:: sh
set service dns forwarding cache-size '0'
- set service dns forwarding listen-on 'eth1'
+ set service dns forwarding listen-address '192.168.0.1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
-Add a set of firewall policies for our "Outside" interface:
+NAT and Firewall
+^^^^^^^^^^^^^^^^
+
+Configure Source NAT for our "Inside" network.
+
+.. code-block:: sh
+
+ set nat source rule 100 outbound-interface 'eth0'
+ set nat source rule 100 source address '192.168.0.0/24'
+ set nat source rule 100 translation address masquerade
+
+Add a set of firewall policies for our "Outside" interface.
+
+This configuration creates a proper stateful firewall that blocks all traffic:
.. code-block:: sh
@@ -75,6 +80,13 @@ Add a set of firewall policies for our "Outside" interface:
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
+
+If you wanted to enable SSH access to your firewall from the the Internet, you could create some additional rules to allow the traffic.
+
+These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts:
+
+.. code-block:: sh
+
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
@@ -105,7 +117,7 @@ Commit changes, save the configuration, and exit configuration mode:
vyos@vyos$
Basic QoS
----------
+^^^^^^^^^
The traffic policy subsystem provides an interface to Linux traffic control
(tc_).
@@ -163,4 +175,38 @@ VyOS 1.2 (Crux) also supports HFSC (:code:`set traffic-policy shaper-hfsc`)
See further information in the :ref:`qos` chapter.
+Security Hardening
+^^^^^^^^^^^^^^^^^^
+
+Especially if you are allowing SSH access from the Internet, there are a few additional configuration steps that should be taken.
+
+Create a user to replace the default `vyos` user:
+
+.. code-block:: sh
+
+ set system login user myvyosuser level admin
+ set system login user myvyosuser authentication plaintext-password mysecurepassword
+
+Set up SSH key based authentication. For example, on Linux you'd want to run `ssh-keygen -t rsa`. Then the contents of `id_rsa.pub` would be used below:
+
+.. code-block:: sh
+
+ set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa
+ set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub
+
+Or you can use the `loadkey` command. Commit and save.
+
+Finally, try and ssh into the VyOS install as your new user.
+
+Once you have confirmed that your new user can access your server, without a password, delete the original `vyos` user and disable password authentication into SSH:
+
+.. code-block:: sh
+
+ delete system login user vyos
+ set service ssh disable-password-authentication
+
+Commit and save.
+
+
+
.. _tc: http://en.wikipedia.org/wiki/Tc_(Linux)