From b0a96ec451ffe2104459e364767b8b5c6e2bc319 Mon Sep 17 00:00:00 2001 From: kroy Date: Thu, 19 Sep 2019 11:33:13 -0500 Subject: Overhauling and expanding quick start guide --- docs/quick-start.rst | 72 ++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 59 insertions(+), 13 deletions(-) (limited to 'docs/quick-start.rst') diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 226c81d0..ebe4d402 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -28,15 +28,10 @@ Enable SSH for remote management: set service ssh port '22' -Configure Source NAT for our "Inside" network. - -.. code-block:: sh - set nat source rule 100 outbound-interface 'eth0' - set nat source rule 100 source address '192.168.0.0/24' - set nat source rule 100 translation address masquerade -Configure a DHCP Server: +Configure DHCP Server and DNS +^^^^^^^^^^^^^^^^^^^^^^^ .. code-block:: sh @@ -49,17 +44,27 @@ Configure a DHCP Server: And a DNS forwarder: -Please note that the `listen-on` statement is deprecated. Please use -`listen-address` instead! - .. code-block:: sh set service dns forwarding cache-size '0' - set service dns forwarding listen-on 'eth1' + set service dns forwarding listen-address '192.168.0.1' set service dns forwarding name-server '8.8.8.8' set service dns forwarding name-server '8.8.4.4' -Add a set of firewall policies for our "Outside" interface: +NAT and Firewall +^^^^^^^^^^^^^^^^ + +Configure Source NAT for our "Inside" network. + +.. code-block:: sh + + set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 source address '192.168.0.0/24' + set nat source rule 100 translation address masquerade + +Add a set of firewall policies for our "Outside" interface. + +This configuration creates a proper stateful firewall that blocks all traffic: .. code-block:: sh @@ -75,6 +80,13 @@ Add a set of firewall policies for our "Outside" interface: set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request' set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp' set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' + +If you wanted to enable SSH access to your firewall from the the Internet, you could create some additional rules to allow the traffic. + +These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts: + +.. code-block:: sh + set firewall name OUTSIDE-LOCAL rule 30 action 'drop' set firewall name OUTSIDE-LOCAL rule 30 destination port '22' set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp' @@ -105,7 +117,7 @@ Commit changes, save the configuration, and exit configuration mode: vyos@vyos$ Basic QoS ---------- +^^^^^^^^^ The traffic policy subsystem provides an interface to Linux traffic control (tc_). @@ -163,4 +175,38 @@ VyOS 1.2 (Crux) also supports HFSC (:code:`set traffic-policy shaper-hfsc`) See further information in the :ref:`qos` chapter. +Security Hardening +^^^^^^^^^^^^^^^^^^ + +Especially if you are allowing SSH access from the Internet, there are a few additional configuration steps that should be taken. + +Create a user to replace the default `vyos` user: + +.. code-block:: sh + + set system login user myvyosuser level admin + set system login user myvyosuser authentication plaintext-password mysecurepassword + +Set up SSH key based authentication. For example, on Linux you'd want to run `ssh-keygen -t rsa`. Then the contents of `id_rsa.pub` would be used below: + +.. code-block:: sh + + set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa + set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub + +Or you can use the `loadkey` command. Commit and save. + +Finally, try and ssh into the VyOS install as your new user. + +Once you have confirmed that your new user can access your server, without a password, delete the original `vyos` user and disable password authentication into SSH: + +.. code-block:: sh + + delete system login user vyos + set service ssh disable-password-authentication + +Commit and save. + + + .. _tc: http://en.wikipedia.org/wiki/Tc_(Linux) -- cgit v1.2.3