Hello,
Yerstaday night i had a strange think on ower network witch was i think ddos i dont truly didnt understand what its hapening because was like 1m icmp on one /23 
so i whant somehow to block it or limit it or sompting to avoid this.
In vyos i set this: all-ping disable but the servers/vms stil ping works.
And if someone can provide me a firewall ssh rate limit, protection cuz i`m tired of this:
There were 23632 failed login attempts since the last successful login.
After just 10Min a VM is On
You can use not standard port for ssh, for example 8822, 2222, 64254
set service ssh port '8822'
If possible it will be a best practice to allow only predefined IP for ssh.
Also if possible, use default action DROP for firewall, but it depends. And allow only what you want/know.
An example firewall that allows ssh from 203.0.113.1 and 192.168.122.1
Also, it deny ICMP for network 10.0.0.0/23.
As for me, deny all ICMP it’s a bad idea. But you can try.
set firewall group address-group ALLOW-SSH address '203.0.113.1'
set firewall group address-group ALLOW-SSH address '192.168.122.1'
set firewall group network-group NET network '10.0.0.0/23'
set firewall name WAN-IN default-action 'accept'
set firewall name WAN-IN rule 10 action 'accept'
set firewall name WAN-IN rule 10 destination port '22'
set firewall name WAN-IN rule 10 protocol 'tcp'
set firewall name WAN-IN rule 10 source group address-group 'ALLOW-SSH'
set firewall name WAN-IN rule 20 action 'drop'
set firewall name WAN-IN rule 20 destination port '22'
set firewall name WAN-IN rule 20 protocol 'tcp'
set firewall name WAN-FW-IN default-action 'accept'
set firewall name WAN-FW-IN rule 10 action 'drop'
set firewall name WAN-FW-IN rule 10 destination group network-group 'NET'
set firewall name WAN-FW-IN rule 10 protocol 'icmp'
set interfaces ethernet eth0 firewall in name 'WAN-FW-IN'
set interfaces ethernet eth0 firewall local name 'WAN-IN'
1 Like
Hello,
Regarding the ssh we never use default ports on ower VM-s, Or Servers, Or on VYos, this is what i dont understand, they still do brute force.
Ccustomers they do use port 22 cuz they dont know to change it or its just nothink special for them to change it.
Not necesary to block it but limit it, example ping coming from an IP and it keeps ping it for h.
You can use “recent count” and “recent time”
Select the parameters you need for these values.
set firewall name WAN-IN default-action 'accept'
set firewall name WAN-IN rule 10 action 'accept'
set firewall name WAN-IN rule 10 state established 'enable'
set firewall name WAN-IN rule 10 state related 'enable'
set firewall name WAN-IN rule 20 action 'drop'
set firewall name WAN-IN rule 20 destination port '22'
set firewall name WAN-IN rule 20 protocol 'tcp'
set firewall name WAN-IN rule 20 recent count '5'
set firewall name WAN-IN rule 20 recent time '120'
set interfaces ethernet eth0 firewall local name 'WAN-IN'
As you can see it blocked source if it trying to connect to port 22 more than 5 times per 120 sec
vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$
vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$
vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$
vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$
vyos@r2-roll:~$ curl 192.168.122.14:22
^C
vyos@r2-roll:~$ curl 192.168.122.14:22
^C
vyos@r2-roll:~$ curl 192.168.122.14:22
FIrewall statistics:
IPv4 Firewall "WAN-IN":
Active on (eth0,LOCAL)
rule packets bytes action source destination
---- ------- ----- ------ ------ -----------
10 939 70.49K ACCEPT 0.0.0.0/0 0.0.0.0/0
20 68 4.92K DROP 0.0.0.0/0 0.0.0.0/0
10000 34 2.33K ACCEPT 0.0.0.0/0 0.0.0.0/0
1 Like
Shoud i set this to ISP interface or Switch Interface ? 
eth0 ISP
eth1.2288 ISP
eth2.2299 ISP
eth5 10GB > Switch
For how long it will block the source ?
It depends, where you want to block incoming or forwarding traffic
1 Like
I set on the ISP is working all ok.
How about the ping ?
As I mentioned above, You can use “recent count” and “recent time”
1 Like
Dear viacheslav
i have used the same below command but iam still able to ping from that network.for your information eth1 is my public interface
please let us know what i missing
set firewall group network-group NET
set firewall group network-group NET network ‘209.44.105.134/32’
set firewall name WAN-FW-IN default-action ‘accept’
set firewall name WAN-FW-IN rule 10 action ‘drop’
set firewall name WAN-FW-IN rule 10 destination group network-group ‘NET’
set firewall name WAN-FW-IN rule 10 protocol ‘icmp’
set interfaces ethernet eth1 firewall in name ‘WAN-FW-IN’