summaryrefslogtreecommitdiff
path: root/interface-definitions
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-05-13 13:11:57 +0200
committerGitHub <noreply@github.com>2022-05-13 13:11:57 +0200
commit8b122bd2ba6be5af1b7e24358b6e4db9abe9a45d (patch)
treebf04d8f50795c90a745f1be1aba58cf4af00602e /interface-definitions
parentd70c2b4493366c02f025f43d2a777b2bef3e1789 (diff)
parent2e81f9e057f598a9a9e5c2d617e3d0818005d850 (diff)
downloadvyos-1x-8b122bd2ba6be5af1b7e24358b6e4db9abe9a45d.tar.gz
vyos-1x-8b122bd2ba6be5af1b7e24358b6e4db9abe9a45d.zip
Merge pull request #1320 from sever-sever/T4408
sshguard: T4408: Add service ssh dynamic-protection
Diffstat (limited to 'interface-definitions')
-rw-r--r--interface-definitions/ssh.xml.in72
1 files changed, 72 insertions, 0 deletions
diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in
index 8edbad110..7e2512f54 100644
--- a/interface-definitions/ssh.xml.in
+++ b/interface-definitions/ssh.xml.in
@@ -61,6 +61,78 @@
<valueless/>
</properties>
</leafNode>
+ <node name="dynamic-protection">
+ <properties>
+ <help>Allow dynamic protection</help>
+ </properties>
+ <children>
+ <leafNode name="block-time">
+ <properties>
+ <help>Block source IP in seconds. Subsequent blocks increase by a factor of 1.5</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Time interval in seconds for blocking</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>120</defaultValue>
+ </leafNode>
+ <leafNode name="detect-time">
+ <properties>
+ <help>Remember source IP in seconds before reset their score</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Time interval in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>1800</defaultValue>
+ </leafNode>
+ <leafNode name="threshold">
+ <properties>
+ <help>Block source IP when their cumulative attack score exceeds threshold</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Threshold score</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>30</defaultValue>
+ </leafNode>
+ <leafNode name="whitelist-address">
+ <properties>
+ <help>Source address or prefix</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Address to match against</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 address and prefix length</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address to match against</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 address and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-address"/>
+ <validator name="ip-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
<leafNode name="key-exchange">
<properties>
<help>Allowed key exchange (KEX) algorithms</help>