summaryrefslogtreecommitdiff
path: root/docs/configuration/service/ssh.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/service/ssh.rst')
-rw-r--r--docs/configuration/service/ssh.rst38
1 files changed, 35 insertions, 3 deletions
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index ad410a3c..15c2390c 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -109,6 +109,38 @@ Configuration
Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
+Dynamic-protection
+==================
+Protects host from brute-force attacks against
+SSH. Log messages are parsed, line-by-line, for recognized patterns. If an
+attack, such as several login failures within a few seconds, is detected, the
+offending IP is blocked. Offenders are unblocked after a set interval.
+
+.. cfgcmd:: set service ssh dynamic-protection
+
+ Allow ``ssh`` dynamic-protection.
+
+.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix>
+
+ Whitelist of addresses and networks. Always allow inbound connections from
+ these systems.
+
+.. cfgcmd:: set service ssh dynamic-protection block-time <sec>
+
+ Block source IP in seconds. Subsequent blocks increase by a factor of 1.5
+ The default is 120.
+
+.. cfgcmd:: set service ssh dynamic-protection detect-time <sec>
+
+ Remember source IP in seconds before reset their score. The default is 1800.
+
+.. cfgcmd:: set service ssh dynamic-protection threshold <sec>
+
+ Block source IP when their cumulative attack score exceeds threshold. The
+ default is 30.
+
+.. _ssh_operation:
+
Operation
=========
@@ -157,19 +189,19 @@ Operation
``/config/auth/id_rsa_rpki.pub``
will be created.
-.. opcmd:: generate public-key-command name <username> path <location>
+.. opcmd:: generate public-key-command user <username> path <location>
Generate the configuration mode commands to add a public key for
:ref:`ssh_key_based_authentication`.
``<location>`` can be a local path or a URL pointing at a remote file.
- Supported remote protocols are FTP, HTTP, HTTPS, SCP/SFTP and TFTP.
+ Supported remote protocols are FTP, FTPS, HTTP, HTTPS, SCP/SFTP and TFTP.
Example:
.. code-block:: none
- alyssa@vyos:~$ generate public-key-command name alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub
+ alyssa@vyos:~$ generate public-key-command user alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub
# To add this key as an embedded key, run the following commands:
configure
set system login user alyssa authentication public-keys alyssa@example.net key AAA...