diff options
Diffstat (limited to 'docs/configuration/service/ssh.rst')
-rw-r--r-- | docs/configuration/service/ssh.rst | 38 |
1 files changed, 35 insertions, 3 deletions
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index ad410a3c..15c2390c 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -109,6 +109,38 @@ Configuration Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. +Dynamic-protection +================== +Protects host from brute-force attacks against +SSH. Log messages are parsed, line-by-line, for recognized patterns. If an +attack, such as several login failures within a few seconds, is detected, the +offending IP is blocked. Offenders are unblocked after a set interval. + +.. cfgcmd:: set service ssh dynamic-protection + + Allow ``ssh`` dynamic-protection. + +.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix> + + Whitelist of addresses and networks. Always allow inbound connections from + these systems. + +.. cfgcmd:: set service ssh dynamic-protection block-time <sec> + + Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 + The default is 120. + +.. cfgcmd:: set service ssh dynamic-protection detect-time <sec> + + Remember source IP in seconds before reset their score. The default is 1800. + +.. cfgcmd:: set service ssh dynamic-protection threshold <sec> + + Block source IP when their cumulative attack score exceeds threshold. The + default is 30. + +.. _ssh_operation: + Operation ========= @@ -157,19 +189,19 @@ Operation ``/config/auth/id_rsa_rpki.pub`` will be created. -.. opcmd:: generate public-key-command name <username> path <location> +.. opcmd:: generate public-key-command user <username> path <location> Generate the configuration mode commands to add a public key for :ref:`ssh_key_based_authentication`. ``<location>`` can be a local path or a URL pointing at a remote file. - Supported remote protocols are FTP, HTTP, HTTPS, SCP/SFTP and TFTP. + Supported remote protocols are FTP, FTPS, HTTP, HTTPS, SCP/SFTP and TFTP. Example: .. code-block:: none - alyssa@vyos:~$ generate public-key-command name alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub + alyssa@vyos:~$ generate public-key-command user alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub # To add this key as an embedded key, run the following commands: configure set system login user alyssa authentication public-keys alyssa@example.net key AAA... |