diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/container/index.rst | 14 | ||||
| -rw-r--r-- | docs/configuration/policy/route-map.rst | 15 | ||||
| -rw-r--r-- | docs/configuration/service/https.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/monitoring.rst | 107 | ||||
| -rw-r--r-- | docs/configuration/service/ssh.rst | 30 | 
5 files changed, 162 insertions, 8 deletions
| diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index ed510477..796b6146 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -26,7 +26,7 @@ Configuration      image that does not include the registry in the image name, Vyos will use       docker.io as the container registry.  -.. cfgcmd:: set container <name> image         +.. cfgcmd:: set container name <name> image              Sets the image name in the hub registry  @@ -42,7 +42,7 @@ Configuration        set container name mysql-server image quay.io/mysql:8.0 -.. cfgcmd:: set container <name> allow-host-networks +.. cfgcmd:: set container name <name> allow-host-networks      Allow host networking in a container. The network stack of the container is       not isolated from the host and will use the host IP. @@ -52,11 +52,11 @@ Configuration      .. note:: **allow-host-networks** cannot be used with **network**  -.. cfgcmd:: set container <name> description <text> +.. cfgcmd:: set container name <name> description <text>      Sets the container description -.. cfgcmd:: set container <name> environment '<key>' value '<value>' +.. cfgcmd:: set container name <name> environment '<key>' value '<value>'      Add custom environment variables.      Multiple environment variables are allowed. @@ -70,7 +70,7 @@ Configuration          set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'          set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' -.. cfgcmd:: set container <name> network <networkname>  +.. cfgcmd:: set container name <name> network <networkname>       Attaches user-defined network to a container.      Only one network must be specified and must already exist. @@ -84,7 +84,7 @@ Configuration      .. note:: The first IP in the container network is reserved by the engine and cannot be used -.. cfgcmd:: set container <name> port <portname> [source | destination ] <portnumber> +.. cfgcmd:: set container name <name> port <portname> [source | destination ] <portnumber>      Publishes a port for the container @@ -93,7 +93,7 @@ Configuration          set container name zabbix-web-nginx-mysql port http source 80          set container name zabbix-web-nginx-mysql port http destination 8080 -.. cfgcmd:: set container <name> volume <volumename> [source | destination ] <path> +.. cfgcmd:: set container name <name> volume <volumename> [source | destination ] <path>      Mount a volume into the container diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index 8b2a555c..6e979a32 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -75,10 +75,25 @@ Route Map     IP next-hop of route to match, based on access-list.  .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop +   address <x.x.x.x> + +   IP next-hop of route to match, based on ip address. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop +   prefix-len <0-32> + +   IP next-hop of route to match, based on prefix length. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop     prefix-list <text>     IP next-hop of route to match, based on prefix-list. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop +   type <blackhole> + +   IP next-hop of route to match, based on type. +  .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip route-source     access-list <1-2699> diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 22533db5..4ff777e9 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -28,6 +28,10 @@ Configuration     Set the listen port of the local API, this has no effect on the     webserver. The default is port 8080 +.. cfgcmd:: set service https api socket + +   Use local socket for API +  .. cfgcmd:: set service https api strict     Enforce strict path checking diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst index 7396f142..755669e1 100644 --- a/docs/configuration/service/monitoring.rst +++ b/docs/configuration/service/monitoring.rst @@ -1,10 +1,111 @@  Monitoring  ---------- -Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided. +Azure-data-explorer +=================== +Telegraf output plugin azure-data-explorer_ + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-id <client-id> + +   Authentication application client-id. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-secret <client-secret> + +   Authentication application client-secret. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication tenant-id <tenant-id> + +   Authentication application tenant-id + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer database <name> + +   Remote databe name. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer group-metrics <single-table | table-per-metric> + +   Type of metrics grouping when push to Azure Data Explorer. The default is +   ``table-per-metric``. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer table <name> + +   Name of the single table Only if set group-metrics single-table. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer url <url> + +   Remote URL. + +Prometheus-client +================= +Telegraf output plugin prometheus-client_ + +.. cfgcmd:: set service monitoring telegraf prometheus-client + +   Output plugin Prometheus client + +.. cfgcmd:: set service monitoring telegraf prometheus-client allow-from <prefix> + +   Networks allowed to query this server + +.. cfgcmd:: set service monitoring telegraf prometheus-client authentication username <username> + +   HTTP basic authentication username + +.. cfgcmd:: set service monitoring telegraf prometheus-client authentication password <password> + +   HTTP basic authentication username + +.. cfgcmd:: set service monitoring telegraf prometheus-client listen-address <address> + +   Local IP addresses to listen on + +.. cfgcmd:: set service monitoring telegraf prometheus-client metric-version <1 | 2> + +   Metris version, the default is ``2`` + +.. cfgcmd:: set service monitoring telegraf prometheus-client port <port> + +   Port number used by connection, default is ``9273`` + +Example: + +.. code-block:: none + +  set service monitoring telegraf prometheus-client + +.. code-block:: none + +  vyos@r14:~$ curl --silent localhost:9273/metrics | egrep -v "#" |  grep cpu_usage_system +  cpu_usage_system{cpu="cpu-total",host="r14"} 0.20040080160320556 +  cpu_usage_system{cpu="cpu0",host="r14"} 0.17182130584191915 +  cpu_usage_system{cpu="cpu1",host="r14"} 0.22896393817971655 + +Splunk +====== +Telegraf output plugin splunk_. HTTP Event Collector. + +.. cfgcmd:: set service monitoring telegraf splunk authentication insecure + +   Use TLS but skip host validation + +.. cfgcmd:: set service monitoring telegraf splunk authentication token <token> + +   Authorization token + +.. cfgcmd:: set service monitoring telegraf splunk authentication url <url> + +   Remote URL to Splunk collector + +Example: + +.. code-block:: none + +  set service monitoring telegraf splunk authentication insecure +  set service monitoring telegraf splunk authentication token 'xxxxf5b8-xxxx-452a-xxxx-43828911xxxx' +  set service monitoring telegraf splunk url 'https://192.0.2.10:8088/services/collector'  Telegraf  ======== +Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided.  Telegraf is the open source server agent to help you collect metrics, events  and logs from your routers. @@ -43,3 +144,7 @@ An example of a configuration that sends ``telegraf`` metrics to remote    set service monitoring telegraf port '8086'    set service monitoring telegraf source 'all'    set service monitoring telegraf url 'http://r1.influxdb2.local' + +.. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer +.. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client +.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html
\ No newline at end of file diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index ad410a3c..baf17035 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -109,6 +109,36 @@ Configuration    Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. +Dynamic-protection +================== +Protects host from brute-force attacks against +SSH. Log messages are parsed, line-by-line, for recognized patterns. If an +attack, such as several login failures within a few seconds, is detected, the +offending IP is blocked. Offenders are unblocked after a set interval. + +.. cfgcmd:: set service ssh dynamic-protection + +  Allow ``ssh`` dynamic-protection. + +.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix> + +  Whitelist of addresses and networks. Always allow inbound connections from +  these systems. + +.. cfgcmd:: set service ssh dynamic-protection block-time <sec> + +  Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 +  The default is 120. + +.. cfgcmd:: set service ssh dynamic-protection detect-time <sec> + +  Remember source IP in seconds before reset their score. The default is 1800. + +.. cfgcmd:: set service ssh dynamic-protection threshold <sec> + +  Block source IP when their cumulative attack score exceeds threshold. The +  default is 30. +  Operation  ========= | 
