Page MenuHomeVyOS Platform

Access Control for SSH (and other?) services
Open, NormalPublicFEATURE REQUEST

Description

tcp_wrappers is enabled, but there's no way of changing the /etc/hosts.{allow,deny} files except manually, which does not survive upgrade.

Suggest a per-service configuration as such:

set service ssh client-allow [ IPv4 network ]
set service ssh client-allow [ IPv6 network ]

which would change the files:

/etc/hosts.allow
sshd: [ IPv4 network ],[ IPv6 network ]

/etc/hosts.deny
sshd: ALL

This same method could be used for https, console-server, etc. - anything which uses libwrap.

NOTE: Alternative security methods are VRF and FIrewall, but adding a firewall to a high-throughput rouer isn't necessarily desired, and a VRF is an all-or-nothing configuration - you are either on one side or another - meaning you must use the VRF even if you're standing next to the router.

Naturally, tcp_wrappers doesn't replace normal security procedures, like 'disable-password-authentication' but it keeps the log files from being flooded by brute force attacks, and helps prevent compromises by mistakes in other methods.

This change could easily be added to any existing version.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)