create more robust access controls for sshd and snmpd
Open, WishlistPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	danhusan
	Oct 24 2023, 4:21 PM

Description

By default both ssh and snmp leak information if open to the public. In some scenarios it is not feasible to use network ACL´s to restrict access. I suggest:

ssh:
set service ssh allowed-clients <ip / address / network-group>

resulting config:
/etc/hosts.allow
sshd: <ip address>

/etc/hosts.deny
sshd: ALL

snmp:
If all snmp communities have IP addresses assigned to them then:

resulting config:
/etc/hosts.allow
snmpd: <community ips>

/etc/hosts.deny
snmpd: ALL

I have this implemented through a postconfig script and it works great.

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Feature (new functionality)

Event Timeline

danhusan created this task.Oct 24 2023, 4:21 PM

Viacheslav added a project: VyOS 1.5 Circinus.Oct 24 2023, 4:33 PM

pasik added a subscriber: pasik.Oct 24 2023, 6:13 PM

Viacheslav triaged this task as Wishlist priority.Jan 20 2024, 1:35 PM

dmbaturin removed a project: VyOS 1.4 Sagitta.Fri, Apr 12, 2:38 PM

create more robust access controls for sshd and snmpdOpen, WishlistPublicFEATURE REQUESTActions

Description

Details

Event Timeline

create more robust access controls for sshd and snmpd
Open, WishlistPublicFEATURE REQUEST
Actions