Merge pull request #2412 from JeffWDH/sagitta

T5661: Add show ssh dynamic-protection and show log ssh dynamic-protection
author: Christian Breunig <christian@breunig.cc> 2023-10-29 09:57:33 +0100
committer: GitHub <noreply@github.com> 2023-10-29 09:57:33 +0100
commit: 5974491d4b69932876ad697f82e1ef74cd37aa8f (patch)
tree: 6069e6cd61482e3873e641b586a377c8a7b3ad70
parent: 2c87e2440cab8f6501faf3a4e2d08dbb43d6c73f (diff)
parent: 57000d752c610984c2074ad8cd2fa2d346794ba9 (diff)
download: vyos-1x-5974491d4b69932876ad697f82e1ef74cd37aa8f.tar.gz
vyos-1x-5974491d4b69932876ad697f82e1ef74cd37aa8f.zip
4 files changed, 64 insertions, 4 deletions
diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in
index 52b5b85d4..ee066b39b 100644
--- a/op-mode-definitions/monitor-log.xml.in
+++ b/op-mode-definitions/monitor-log.xml.in
@@ -274,12 +274,20 @@
             </properties>
             <command>journalctl --no-hostname --boot --follow --unit snmpd.service</command>
           </leafNode>
-          <leafNode name="ssh">
+          <node name="ssh">
             <properties>
               <help>Monitor last lines of Secure Shell log</help>
             </properties>
             <command>journalctl --no-hostname --boot --follow --unit ssh.service</command>
-          </leafNode>
+            <children>
+              <node name="dynamic-protection">
+                <properties>
+                  <help>Monitor last lines of SSH guard log</help>
+                </properties>
+                <command>journalctl --no-hostname --boot --follow --unit sshguard.service</command>
+              </node>
+            </children>
+          </node>
           <leafNode name="vpn">
             <properties>
               <help>Monitor last lines of ALL Virtual Private Network services</help>
diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index 747622db6..08d5ae11a 100644
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -398,12 +398,20 @@
             </properties>
             <command>journalctl --no-hostname --boot --unit snmpd.service</command>
           </leafNode>
-          <leafNode name="ssh">
+          <node name="ssh">
             <properties>
               <help>Show log for Secure Shell (SSH)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit ssh.service</command>
-          </leafNode>
+            <children>
+              <node name="dynamic-protection">
+                <properties>
+                  <help>Show SSH guard log</help>
+                </properties>
+                <command>journalctl --no-hostname --boot --unit sshguard.service</command>
+              </node>
+            </children>
+          </node>
           <tagNode name="tail">
             <properties>
               <help>Show last n changes to messages</help>
diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in
index 7b72739c4..ca8e669b3 100644
--- a/op-mode-definitions/show-ssh.xml.in
+++ b/op-mode-definitions/show-ssh.xml.in
@@ -7,6 +7,12 @@
           <help>Show SSH server information</help>
         </properties>
         <children>
+          <node name="dynamic-protection">
+            <properties>
+              <help>Show SSH server dynamic-protection blocked attackers</help>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command>
+          </node>
           <node name="fingerprints">
             <properties>
               <help>Show SSH server public key fingerprints</help>
diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py
index 4de9521b5..acb066144 100755
--- a/src/op_mode/ssh.py
+++ b/src/op_mode/ssh.py
@@ -15,6 +15,7 @@
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 
+import json
 import sys
 import glob
 import vyos.opmode
@@ -60,3 +61,40 @@ def show_fingerprints(raw: bool, ascii: bool):
             return []
         else:
             return "No SSH server public keys are found."
+
+def show_dynamic_protection(raw: bool):
+    config = ConfigTreeQuery()
+    if not config.exists(['service', 'ssh', 'dynamic-protection']):
+        raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.")
+
+    attackers = []
+    try:
+        # IPv4
+        attackers = attackers + json.loads(cmd("nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
+    except:
+        pass
+    try:
+        # IPv6
+        attackers = attackers + json.loads(cmd("nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
+    except:
+        pass
+    if attackers:
+        if raw:
+            return attackers
+        else:
+            output = "Blocked attackers:\n" + "\n".join(attackers)
+            return output
+    else:
+        if raw:
+            return []
+        else:
+            return "No blocked attackers."
+
+if __name__ == '__main__':
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)
author	Christian Breunig <christian@breunig.cc>	2023-10-29 09:57:33 +0100
committer	GitHub <noreply@github.com>	2023-10-29 09:57:33 +0100
commit	5974491d4b69932876ad697f82e1ef74cd37aa8f (patch)
tree	6069e6cd61482e3873e641b586a377c8a7b3ad70
parent	2c87e2440cab8f6501faf3a4e2d08dbb43d6c73f (diff)
parent	57000d752c610984c2074ad8cd2fa2d346794ba9 (diff)
download	vyos-1x-5974491d4b69932876ad697f82e1ef74cd37aa8f.tar.gz vyos-1x-5974491d4b69932876ad697f82e1ef74cd37aa8f.zip