diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-05-13 13:11:57 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-05-13 13:11:57 +0200 |
commit | 8b122bd2ba6be5af1b7e24358b6e4db9abe9a45d (patch) | |
tree | bf04d8f50795c90a745f1be1aba58cf4af00602e /src/conf_mode/ssh.py | |
parent | d70c2b4493366c02f025f43d2a777b2bef3e1789 (diff) | |
parent | 2e81f9e057f598a9a9e5c2d617e3d0818005d850 (diff) | |
download | vyos-1x-8b122bd2ba6be5af1b7e24358b6e4db9abe9a45d.tar.gz vyos-1x-8b122bd2ba6be5af1b7e24358b6e4db9abe9a45d.zip |
Merge pull request #1320 from sever-sever/T4408
sshguard: T4408: Add service ssh dynamic-protection
Diffstat (limited to 'src/conf_mode/ssh.py')
-rwxr-xr-x | src/conf_mode/ssh.py | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index 487e8c229..28669694b 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2021 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -33,6 +33,9 @@ airbag.enable() config_file = r'/run/sshd/sshd_config' systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf' +sshguard_config_file = '/etc/sshguard/sshguard.conf' +sshguard_whitelist = '/etc/sshguard/whitelist' + key_rsa = '/etc/ssh/ssh_host_rsa_key' key_dsa = '/etc/ssh/ssh_host_dsa_key' key_ed25519 = '/etc/ssh/ssh_host_ed25519_key' @@ -54,6 +57,11 @@ def get_config(config=None): # pass config file path - used in override template ssh['config_file'] = config_file + # Ignore default XML values if config doesn't exists + # Delete key from dict + if not conf.exists(base + ['dynamic-protection']): + del ssh['dynamic_protection'] + return ssh def verify(ssh): @@ -86,6 +94,10 @@ def generate(ssh): render(config_file, 'ssh/sshd_config.j2', ssh) render(systemd_override, 'ssh/override.conf.j2', ssh) + + if 'dynamic_protection' in ssh: + render(sshguard_config_file, 'ssh/sshguard_config.j2', ssh) + render(sshguard_whitelist, 'ssh/sshguard_whitelist.j2', ssh) # Reload systemd manager configuration call('systemctl daemon-reload') @@ -95,7 +107,12 @@ def apply(ssh): if not ssh: # SSH access is removed in the commit call('systemctl stop ssh.service') + call('systemctl stop sshguard.service') return None + if 'dynamic_protection' not in ssh: + call('systemctl stop sshguard.service') + else: + call('systemctl restart sshguard.service') call('systemctl restart ssh.service') return None |