diff options
Diffstat (limited to 'data/templates/ssh')
| -rw-r--r-- | data/templates/ssh/override.conf.j2 | 13 | ||||
| -rw-r--r-- | data/templates/ssh/override.conf.tmpl | 13 | ||||
| -rw-r--r-- | data/templates/ssh/sshd_config.j2 (renamed from data/templates/ssh/sshd_config.tmpl) | 54 | ||||
| -rw-r--r-- | data/templates/ssh/sshguard_config.j2 | 27 | ||||
| -rw-r--r-- | data/templates/ssh/sshguard_whitelist.j2 | 7 |
5 files changed, 69 insertions, 45 deletions
diff --git a/data/templates/ssh/override.conf.j2 b/data/templates/ssh/override.conf.j2 new file mode 100644 index 000000000..e4d6f51cb --- /dev/null +++ b/data/templates/ssh/override.conf.j2 @@ -0,0 +1,13 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service +ConditionPathExists={{ config_file }} + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/sshd -f {{ config_file }} -D $SSHD_OPTS +Restart=always +RestartPreventExitStatus= +RestartSec=10 +RuntimeDirectoryPreserve=yes diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl deleted file mode 100644 index 5f8f35e89..000000000 --- a/data/templates/ssh/override.conf.tmpl +++ /dev/null @@ -1,13 +0,0 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} -[Unit] -StartLimitIntervalSec=0 -After=vyos-router.service -ConditionPathExists={{config_file}} - -[Service] -ExecStart= -ExecStart={{vrf_command}}/usr/sbin/sshd -f {{config_file}} -D $SSHD_OPTS -Restart=always -RestartPreventExitStatus= -RestartSec=10 -RuntimeDirectoryPreserve=yes diff --git a/data/templates/ssh/sshd_config.tmpl b/data/templates/ssh/sshd_config.j2 index 2f2b78a66..e7dbca581 100644 --- a/data/templates/ssh/sshd_config.tmpl +++ b/data/templates/ssh/sshd_config.j2 @@ -29,6 +29,7 @@ UsePAM yes PermitRootLogin no PidFile /run/sshd/sshd.pid AddressFamily any +DebianBanner no # # User configurable section @@ -36,7 +37,7 @@ AddressFamily any # Look up remote host name and check that the resolved host name for the remote IP # address maps back to the very same IP address. -UseDNS {{ "no" if disable_host_validation is defined else "yes" }} +UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }} # Specifies the port number that sshd(8) listens on {% for value in port %} @@ -47,61 +48,50 @@ Port {{ value }} LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed -PasswordAuthentication {{ "no" if disable_password_authentication is defined else "yes" }} +PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} -{% if listen_address is defined and listen_address is not none %} +{% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on -{% for address in listen_address %} +{% for address in listen_address %} ListenAddress {{ address }} -{% endfor %} +{% endfor %} {% endif %} -{% if ciphers is defined and ciphers is not none %} +{% if ciphers is vyos_defined %} # Specifies the ciphers allowed for protocol version 2 -{% set value = ciphers if ciphers is string else ciphers | join(',') %} -Ciphers {{ value }} +Ciphers {{ ciphers | join(',') }} {% endif %} -{% if mac is defined and mac is not none %} +{% if mac is vyos_defined %} # Specifies the available MAC (message authentication code) algorithms -{% set value = mac if mac is string else mac | join(',') %} -MACs {{ value }} +MACs {{ mac | join(',') }} {% endif %} -{% if key_exchange is defined and key_exchange is not none %} +{% if key_exchange is vyos_defined %} # Specifies the available Key Exchange algorithms -{% set value = key_exchange if key_exchange is string else key_exchange | join(',') %} -KexAlgorithms {{ value }} +KexAlgorithms {{ key_exchange | join(',') }} {% endif %} -{% if access_control is defined and access_control is not none %} -{% if access_control.allow is defined and access_control.allow is not none %} -{% if access_control.allow.user is defined %} +{% if access_control is vyos_defined %} +{% if access_control.allow.user is vyos_defined %} # If specified, login is allowed only for user names that match -{% set value = access_control.allow.user if access_control.allow.user is string else access_control.allow.user | join(' ') %} -AllowUsers {{ value }} +AllowUsers {{ access_control.allow.user | join(' ') }} {% endif %} -{% if access_control.allow.group is defined %} +{% if access_control.allow.group is vyos_defined %} # If specified, login is allowed only for users whose primary group or supplementary group list matches -{% set value = access_control.allow.group if access_control.allow.group is string else access_control.allow.group | join(' ') %} -AllowGroups {{ value }} +AllowGroups {{ access_control.allow.group | join(' ') }} {% endif %} -{% endif %} -{% if access_control.deny is defined and access_control.deny is not none %} -{% if access_control.deny.user is defined %} +{% if access_control.deny.user is vyos_defined %} # Login is disallowed for user names that match -{% set value = access_control.deny.user if access_control.deny.user is string else access_control.deny.user | join(' ') %} -DenyUsers {{ value }} +DenyUsers {{ access_control.deny.user | join(' ') }} {% endif %} -{% if access_control.deny.group is defined %} +{% if access_control.deny.group is vyos_defined %} # Login is disallowed for users whose primary group or supplementary group list matches -{% set value = access_control.deny.group if access_control.deny.group is string else access_control.deny.group | join(' ') %} -DenyGroups {{ value }} +DenyGroups {{ access_control.deny.group | join(' ') }} {% endif %} -{% endif %} {% endif %} -{% if client_keepalive_interval is defined and client_keepalive_interval is not none %} +{% if client_keepalive_interval is vyos_defined %} # Sets a timeout interval in seconds after which if no data has been received from the client, # sshd(8) will send a message through the encrypted channel to request a response from the client ClientAliveInterval {{ client_keepalive_interval }} diff --git a/data/templates/ssh/sshguard_config.j2 b/data/templates/ssh/sshguard_config.j2 new file mode 100644 index 000000000..58c6ad48d --- /dev/null +++ b/data/templates/ssh/sshguard_config.j2 @@ -0,0 +1,27 @@ +### Autogenerated by ssh.py ### + +{% if dynamic_protection is vyos_defined %} +# Full path to backend executable (required, no default) +BACKEND="/usr/libexec/sshguard/sshg-fw-nft-sets" + +# Shell command that provides logs on standard output. (optional, no default) +# Example 1: ssh and sendmail from systemd journal: +LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -o cat" + +#### OPTIONS #### +# Block attackers when their cumulative attack score exceeds THRESHOLD. +# Most attacks have a score of 10. (optional, default 30) +THRESHOLD={{ dynamic_protection.threshold }} + +# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. +# Subsequent blocks increase by a factor of 1.5. (optional, default 120) +BLOCK_TIME={{ dynamic_protection.block_time }} + +# Remember potential attackers for up to DETECTION_TIME seconds before +# resetting their score. (optional, default 1800) +DETECTION_TIME={{ dynamic_protection.detect_time }} + +# IP addresses listed in the WHITELIST_FILE are considered to be +# friendlies and will never be blocked. +WHITELIST_FILE=/etc/sshguard/whitelist +{% endif %} diff --git a/data/templates/ssh/sshguard_whitelist.j2 b/data/templates/ssh/sshguard_whitelist.j2 new file mode 100644 index 000000000..47a950a2b --- /dev/null +++ b/data/templates/ssh/sshguard_whitelist.j2 @@ -0,0 +1,7 @@ +### Autogenerated by ssh.py ### + +{% if dynamic_protection.allow_from is vyos_defined %} +{% for address in dynamic_protection.allow_from %} +{{ address }} +{% endfor %} +{% endif %} |