Page MenuHomeVyOS Platform
Create Task
Maniphest T2191

Using tallow to block sshd probes
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Tallow service would allow to block ssh probes from accessing default ssh port for given times, by default it uses ipset, but maybe even better integration with vyos could be achieved.

i would like to propose inclusion of tallow into distribution.
I will try to create package and configuration settings required to set it trough vyos interface, proposal would be something like:

set firewall tallow enable
set firewall tallow expires 86400
set firewall tallow ipv6 disable
set firewall tallow whitelist 10.10.0.1
set firewall tallow whitelist 20.20.
set firewall tallow whitelist 30.

given set of commands should create file in /etc with next settings

/etc/tallow.conf
expires=86400
whitelist=10.10.0.1
whitelist=20.20.
whitelist=30.

and systemd service tallow should be enabled and started on boot..

Of course it should NOT be enabled be default as user would very easy block themselves with it.

Package source
https://github.com/clearlinux/tallow

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Mentioned In
1.3.6

Event Timeline

bmanojlovic created this task.Mar 31 2020, 11:38 PM
pasik added a subscriber: pasik.Apr 1 2020, 7:00 AM
sempervictus added a subscriber: sempervictus.Aug 29 2021, 4:06 PM

This can be done via the tc kernel module AFAIK. Something like fireqos would be great to have in here, but they're pretty opinionated in how they do things in their tools so probably not a viable drop-in solution.
This can also be done with OSSEC using active response, either by building an OSSEC agent into the image (client key management is kind of a PITA) or by way of remote feed for FW log events showing attempts to connect with an active-response script to temporarily block the offenders with progressively longer blocks on repeat offenses.

erkin set Issue type to Feature (new functionality).Aug 30 2021, 7:50 AM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:05 AM
tioan added a subscriber: tioan.Oct 30 2022, 11:27 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:43 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:30 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:38 PM
Viacheslav closed this task as Resolved.Dec 18 2023, 9:37 AM
Viacheslav claimed this task.
Viacheslav added a subscriber: Viacheslav.

We are using sshguard

set service ssh dynamic-protection
dmbaturin mentioned this in 1.3.6.Feb 3 2024, 1:59 AM