diff options
| author | Daniil Baturin <daniil@baturin.org> | 2019-09-20 03:40:01 +0700 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-20 03:40:01 +0700 | 
| commit | bff0db0f6027ceb51232bb22582af6c473cacc8a (patch) | |
| tree | 93dfaf73e487f83e016dc5bea4e795c0ecd26766 | |
| parent | affe7cc7be80b4ab2ace9924967c8ce9a89c79af (diff) | |
| parent | d076bcb40da2107533b1a83cf143ef3b309e8027 (diff) | |
| download | vyos-documentation-bff0db0f6027ceb51232bb22582af6c473cacc8a.tar.gz vyos-documentation-bff0db0f6027ceb51232bb22582af6c473cacc8a.zip | |
Merge branch 'master' into config-overview-fixes
| -rw-r--r-- | docs/configuration-overview.rst | 14 | ||||
| -rw-r--r-- | docs/quick-start.rst | 72 | 
2 files changed, 73 insertions, 13 deletions
| diff --git a/docs/configuration-overview.rst b/docs/configuration-overview.rst index dfd42e85..5bd80028 100644 --- a/docs/configuration-overview.rst +++ b/docs/configuration-overview.rst @@ -400,8 +400,22 @@ Remote archive  VyOS can copy the config to a remote location after each commit. TFTP, FTP, and SFTP servers are supported. +  You can specify the location with:   * `set system config-management commit-archive location URL`   For example, `set system config-management commit-archive location tftp://10.0.0.1/vyos`. + +You can specify the location with `set system config-management commit-archive location URL` command, e.g. `set system config-management commit-archive location tftp://10.0.0.1/vyos`. + +Wipe config and restore default +------------------------------- + +In the case you want to completely delete your configuration and restore the default one, you can enter the following command in configuration mode: + +.. code-block:: sh + +  load /opt/vyatta/etc/config.boot.default + +.. note:: If you are remotely connected, you will lose your connection. You may want to copy first the config, edit it to ensure connectivity, and load the edited config. diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 226c81d0..ebe4d402 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -28,15 +28,10 @@ Enable SSH for remote management:    set service ssh port '22' -Configure Source NAT for our "Inside" network. - -.. code-block:: sh -  set nat source rule 100 outbound-interface 'eth0' -  set nat source rule 100 source address '192.168.0.0/24' -  set nat source rule 100 translation address masquerade -Configure a DHCP Server: +Configure DHCP Server and DNS +^^^^^^^^^^^^^^^^^^^^^^^  .. code-block:: sh @@ -49,17 +44,27 @@ Configure a DHCP Server:  And a DNS forwarder: -Please note that the `listen-on` statement is deprecated. Please use -`listen-address` instead! -  .. code-block:: sh    set service dns forwarding cache-size '0' -  set service dns forwarding listen-on 'eth1' +  set service dns forwarding listen-address '192.168.0.1'    set service dns forwarding name-server '8.8.8.8'    set service dns forwarding name-server '8.8.4.4' -Add a set of firewall policies for our "Outside" interface: +NAT and Firewall +^^^^^^^^^^^^^^^^ + +Configure Source NAT for our "Inside" network. + +.. code-block:: sh + +  set nat source rule 100 outbound-interface 'eth0' +  set nat source rule 100 source address '192.168.0.0/24' +  set nat source rule 100 translation address masquerade + +Add a set of firewall policies for our "Outside" interface.   + +This configuration creates a proper stateful firewall that blocks all traffic:  .. code-block:: sh @@ -75,6 +80,13 @@ Add a set of firewall policies for our "Outside" interface:    set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'    set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'    set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' + +If you wanted to enable SSH access to your firewall from the the Internet, you could create some additional rules to allow the traffic. + +These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts: + +.. code-block:: sh +    set firewall name OUTSIDE-LOCAL rule 30 action 'drop'    set firewall name OUTSIDE-LOCAL rule 30 destination port '22'    set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp' @@ -105,7 +117,7 @@ Commit changes, save the configuration, and exit configuration mode:    vyos@vyos$  Basic QoS ---------- +^^^^^^^^^  The traffic policy subsystem provides an interface to Linux traffic control  (tc_). @@ -163,4 +175,38 @@ VyOS 1.2 (Crux) also supports HFSC (:code:`set traffic-policy shaper-hfsc`)  See further information in the :ref:`qos` chapter. +Security Hardening +^^^^^^^^^^^^^^^^^^ + +Especially if you are allowing SSH access from the Internet, there are a few additional configuration steps that should be taken. + +Create a user to replace the default `vyos` user: + +.. code-block:: sh + +  set system login user myvyosuser level admin +  set system login user myvyosuser authentication plaintext-password mysecurepassword + +Set up SSH key based authentication.  For example, on Linux you'd want to run `ssh-keygen -t rsa`.  Then the contents of `id_rsa.pub` would be used below: + +.. code-block:: sh + +  set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa +  set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub + +Or you can use the `loadkey` command. Commit and save. + +Finally, try and ssh into the VyOS install as your new user.   + +Once you have confirmed that your new user can access your server, without a password, delete the original `vyos` user and disable password authentication into SSH: + +.. code-block:: sh + +  delete system login user vyos +  set service ssh disable-password-authentication + +Commit and save. + + +  .. _tc: http://en.wikipedia.org/wiki/Tc_(Linux) | 
