diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/container/index.rst | 14 | ||||
| -rw-r--r-- | docs/configuration/policy/route-map.rst | 15 | ||||
| -rw-r--r-- | docs/configuration/service/https.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/monitoring.rst | 107 | ||||
| -rw-r--r-- | docs/configuration/service/ssh.rst | 30 |
5 files changed, 162 insertions, 8 deletions
diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index ed510477..796b6146 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -26,7 +26,7 @@ Configuration image that does not include the registry in the image name, Vyos will use docker.io as the container registry. -.. cfgcmd:: set container <name> image +.. cfgcmd:: set container name <name> image Sets the image name in the hub registry @@ -42,7 +42,7 @@ Configuration set container name mysql-server image quay.io/mysql:8.0 -.. cfgcmd:: set container <name> allow-host-networks +.. cfgcmd:: set container name <name> allow-host-networks Allow host networking in a container. The network stack of the container is not isolated from the host and will use the host IP. @@ -52,11 +52,11 @@ Configuration .. note:: **allow-host-networks** cannot be used with **network** -.. cfgcmd:: set container <name> description <text> +.. cfgcmd:: set container name <name> description <text> Sets the container description -.. cfgcmd:: set container <name> environment '<key>' value '<value>' +.. cfgcmd:: set container name <name> environment '<key>' value '<value>' Add custom environment variables. Multiple environment variables are allowed. @@ -70,7 +70,7 @@ Configuration set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd' set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' -.. cfgcmd:: set container <name> network <networkname> +.. cfgcmd:: set container name <name> network <networkname> Attaches user-defined network to a container. Only one network must be specified and must already exist. @@ -84,7 +84,7 @@ Configuration .. note:: The first IP in the container network is reserved by the engine and cannot be used -.. cfgcmd:: set container <name> port <portname> [source | destination ] <portnumber> +.. cfgcmd:: set container name <name> port <portname> [source | destination ] <portnumber> Publishes a port for the container @@ -93,7 +93,7 @@ Configuration set container name zabbix-web-nginx-mysql port http source 80 set container name zabbix-web-nginx-mysql port http destination 8080 -.. cfgcmd:: set container <name> volume <volumename> [source | destination ] <path> +.. cfgcmd:: set container name <name> volume <volumename> [source | destination ] <path> Mount a volume into the container diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index 8b2a555c..6e979a32 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -75,10 +75,25 @@ Route Map IP next-hop of route to match, based on access-list. .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop + address <x.x.x.x> + + IP next-hop of route to match, based on ip address. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop + prefix-len <0-32> + + IP next-hop of route to match, based on prefix length. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop prefix-list <text> IP next-hop of route to match, based on prefix-list. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop + type <blackhole> + + IP next-hop of route to match, based on type. + .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip route-source access-list <1-2699> diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 22533db5..4ff777e9 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -28,6 +28,10 @@ Configuration Set the listen port of the local API, this has no effect on the webserver. The default is port 8080 +.. cfgcmd:: set service https api socket + + Use local socket for API + .. cfgcmd:: set service https api strict Enforce strict path checking diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst index 7396f142..755669e1 100644 --- a/docs/configuration/service/monitoring.rst +++ b/docs/configuration/service/monitoring.rst @@ -1,10 +1,111 @@ Monitoring ---------- -Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided. +Azure-data-explorer +=================== +Telegraf output plugin azure-data-explorer_ + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-id <client-id> + + Authentication application client-id. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-secret <client-secret> + + Authentication application client-secret. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication tenant-id <tenant-id> + + Authentication application tenant-id + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer database <name> + + Remote databe name. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer group-metrics <single-table | table-per-metric> + + Type of metrics grouping when push to Azure Data Explorer. The default is + ``table-per-metric``. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer table <name> + + Name of the single table Only if set group-metrics single-table. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer url <url> + + Remote URL. + +Prometheus-client +================= +Telegraf output plugin prometheus-client_ + +.. cfgcmd:: set service monitoring telegraf prometheus-client + + Output plugin Prometheus client + +.. cfgcmd:: set service monitoring telegraf prometheus-client allow-from <prefix> + + Networks allowed to query this server + +.. cfgcmd:: set service monitoring telegraf prometheus-client authentication username <username> + + HTTP basic authentication username + +.. cfgcmd:: set service monitoring telegraf prometheus-client authentication password <password> + + HTTP basic authentication username + +.. cfgcmd:: set service monitoring telegraf prometheus-client listen-address <address> + + Local IP addresses to listen on + +.. cfgcmd:: set service monitoring telegraf prometheus-client metric-version <1 | 2> + + Metris version, the default is ``2`` + +.. cfgcmd:: set service monitoring telegraf prometheus-client port <port> + + Port number used by connection, default is ``9273`` + +Example: + +.. code-block:: none + + set service monitoring telegraf prometheus-client + +.. code-block:: none + + vyos@r14:~$ curl --silent localhost:9273/metrics | egrep -v "#" | grep cpu_usage_system + cpu_usage_system{cpu="cpu-total",host="r14"} 0.20040080160320556 + cpu_usage_system{cpu="cpu0",host="r14"} 0.17182130584191915 + cpu_usage_system{cpu="cpu1",host="r14"} 0.22896393817971655 + +Splunk +====== +Telegraf output plugin splunk_. HTTP Event Collector. + +.. cfgcmd:: set service monitoring telegraf splunk authentication insecure + + Use TLS but skip host validation + +.. cfgcmd:: set service monitoring telegraf splunk authentication token <token> + + Authorization token + +.. cfgcmd:: set service monitoring telegraf splunk authentication url <url> + + Remote URL to Splunk collector + +Example: + +.. code-block:: none + + set service monitoring telegraf splunk authentication insecure + set service monitoring telegraf splunk authentication token 'xxxxf5b8-xxxx-452a-xxxx-43828911xxxx' + set service monitoring telegraf splunk url 'https://192.0.2.10:8088/services/collector' Telegraf ======== +Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided. Telegraf is the open source server agent to help you collect metrics, events and logs from your routers. @@ -43,3 +144,7 @@ An example of a configuration that sends ``telegraf`` metrics to remote set service monitoring telegraf port '8086' set service monitoring telegraf source 'all' set service monitoring telegraf url 'http://r1.influxdb2.local' + +.. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer +.. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client +.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html
\ No newline at end of file diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index ad410a3c..baf17035 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -109,6 +109,36 @@ Configuration Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. +Dynamic-protection +================== +Protects host from brute-force attacks against +SSH. Log messages are parsed, line-by-line, for recognized patterns. If an +attack, such as several login failures within a few seconds, is detected, the +offending IP is blocked. Offenders are unblocked after a set interval. + +.. cfgcmd:: set service ssh dynamic-protection + + Allow ``ssh`` dynamic-protection. + +.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix> + + Whitelist of addresses and networks. Always allow inbound connections from + these systems. + +.. cfgcmd:: set service ssh dynamic-protection block-time <sec> + + Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 + The default is 120. + +.. cfgcmd:: set service ssh dynamic-protection detect-time <sec> + + Remember source IP in seconds before reset their score. The default is 1800. + +.. cfgcmd:: set service ssh dynamic-protection threshold <sec> + + Block source IP when their cumulative attack score exceeds threshold. The + default is 30. + Operation ========= |