Hello guys,
Please I’m trying to implement an access list using the NFTable in Vyos to block SSH and allow only some specified IP addresses to access SSH.
PS: The use of NFTable would be highly welcomed
Hi,
have you tried
set service ssh dynamic-protection
I’m currently running the 1.3 LTS version and it has provision using the set service ssh acces-list command to add a group of network to be allowed or denied
The issue I’m also having is how do I create a group and add IP addresses to the group so I can call the group name when I’m running the set service ssh acces-list command.
“dynamic-protection” (sshguard) did not exist in Equuleus. It was only added in Sagitta.
It will be available in the next LTS release ⚓ T5354 Add sshguard to protect against brut-forces for 1.3
But the original request could be solved with static address groups.
I don’t get goal to use native nft format 
2 Likes
Please how do I configure static address group
Never heard of set service ssh access-list. There’s set service ssh access-control which is used to set the users that are allowed to use the service. As @Viacheslav stated, to filter by IP, you’ll need to set a firewall rule for incoming SSH traffic. See Firewall — VyOS 1.3.x (equuleus) documentation. There are multiple examples and a pretty clear explanation on how to setup an address group, create a ruleset based on a group, and apply it to an interface.
For some weir reason, using the filter rule wasn’t working. I’ve exhausted all option using the filter rule.
Hence I want to use the ssh access-control adding a group of allowed IPs.
I would appreciate if you can assist me with how to add group for access-control in ssh
Please read my response above. access-control is for users not IP’s. Your only solution is a firewall rule. Please RTFM. If you have a specific issue with setting up a firewall rule, post the specific issue and folks here will be happy to assist, but you need to post what you did that didn’t work.