summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2022-05-31 11:49:25 +0200
committerGitHub <noreply@github.com>2022-05-31 11:49:25 +0200
commit336b4498b8367f0188a281dbe3eea423fec8bd0f (patch)
tree1e284cc93596c5691bb1d0fa7f05fcf0197f9996 /docs
parent3165014ae9a3a894846e9b3bfc85f0ab61c9b600 (diff)
parent85eb5e124f11c891470bf83a0096188b2196c457 (diff)
downloadvyos-documentation-336b4498b8367f0188a281dbe3eea423fec8bd0f.tar.gz
vyos-documentation-336b4498b8367f0188a281dbe3eea423fec8bd0f.zip
Merge pull request #782 from sever-sever/sshguard
sshguard: Add ssh dynamic-protection
Diffstat (limited to 'docs')
-rw-r--r--docs/configuration/service/ssh.rst30
1 files changed, 30 insertions, 0 deletions
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index ad410a3c..baf17035 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -109,6 +109,36 @@ Configuration
Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
+Dynamic-protection
+==================
+Protects host from brute-force attacks against
+SSH. Log messages are parsed, line-by-line, for recognized patterns. If an
+attack, such as several login failures within a few seconds, is detected, the
+offending IP is blocked. Offenders are unblocked after a set interval.
+
+.. cfgcmd:: set service ssh dynamic-protection
+
+ Allow ``ssh`` dynamic-protection.
+
+.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix>
+
+ Whitelist of addresses and networks. Always allow inbound connections from
+ these systems.
+
+.. cfgcmd:: set service ssh dynamic-protection block-time <sec>
+
+ Block source IP in seconds. Subsequent blocks increase by a factor of 1.5
+ The default is 120.
+
+.. cfgcmd:: set service ssh dynamic-protection detect-time <sec>
+
+ Remember source IP in seconds before reset their score. The default is 1800.
+
+.. cfgcmd:: set service ssh dynamic-protection threshold <sec>
+
+ Block source IP when their cumulative attack score exceeds threshold. The
+ default is 30.
+
Operation
=========