Page MenuHomeVyOS Platform

Using tallow to block sshd probes
Closed, ResolvedPublicFEATURE REQUEST


Tallow service would allow to block ssh probes from accessing default ssh port for given times, by default it uses ipset, but maybe even better integration with vyos could be achieved.

i would like to propose inclusion of tallow into distribution.
I will try to create package and configuration settings required to set it trough vyos interface, proposal would be something like:

set firewall tallow enable
set firewall tallow expires 86400
set firewall tallow ipv6 disable
set firewall tallow whitelist
set firewall tallow whitelist 20.20.
set firewall tallow whitelist 30.

given set of commands should create file in /etc with next settings


and systemd service tallow should be enabled and started on boot..

Of course it should NOT be enabled be default as user would very easy block themselves with it.

Package source


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Mentioned In

Event Timeline

This can be done via the tc kernel module AFAIK. Something like fireqos would be great to have in here, but they're pretty opinionated in how they do things in their tools so probably not a viable drop-in solution.
This can also be done with OSSEC using active response, either by building an OSSEC agent into the image (client key management is kind of a PITA) or by way of remote feed for FW log events showing attempts to connect with an active-response script to temporarily block the offenders with progressively longer blocks on repeat offenses.

erkin set Issue type to Feature (new functionality).Aug 30 2021, 7:50 AM
erkin removed a subscriber: Active contributors.
Viacheslav claimed this task.
Viacheslav subscribed.

We are using sshguard

set service ssh dynamic-protection