diff options
author | JeffWDH <jeffwdh@github.com> | 2023-10-21 14:29:05 -0400 |
---|---|---|
committer | JeffWDH <jeffwdh@github.com> | 2023-10-21 14:29:05 -0400 |
commit | 8cdf6eb47052445cde3b4f22e422afa9422a9a73 (patch) | |
tree | 9015b9842f47a5a02d99f0d245330591bac17e60 /src/op_mode | |
parent | 69fb230ee022100234af233f2a2823f887c95059 (diff) | |
download | vyos-1x-8cdf6eb47052445cde3b4f22e422afa9422a9a73.tar.gz vyos-1x-8cdf6eb47052445cde3b4f22e422afa9422a9a73.zip |
T5661: Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection
Diffstat (limited to 'src/op_mode')
-rw-r--r-- | src/op_mode/show-ssh-fingerprints.py | 49 | ||||
-rwxr-xr-x | src/op_mode/ssh.py | 100 |
2 files changed, 100 insertions, 49 deletions
diff --git a/src/op_mode/show-ssh-fingerprints.py b/src/op_mode/show-ssh-fingerprints.py deleted file mode 100644 index 913baae46..000000000 --- a/src/op_mode/show-ssh-fingerprints.py +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright 2017-2023 VyOS maintainers and contributors <maintainers@vyos.io> -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see <http://www.gnu.org/licenses/>. - -import sys -import glob -import argparse -from vyos.utils.process import cmd - -# Parse command line -parser = argparse.ArgumentParser() -parser.add_argument("--ascii", help="Show visual ASCII art representation of the public key", action="store_true") -args = parser.parse_args() - -# Get list of server public keys -publickeys = glob.glob("/etc/ssh/*.pub") - -if publickeys: - print("SSH server public key fingerprints:\n", flush=True) - for keyfile in publickeys: - if args.ascii: - try: - print(cmd("ssh-keygen -l -v -E sha256 -f " + keyfile) + "\n", flush=True) - # Ignore invalid public keys - except: - pass - else: - try: - print(cmd("ssh-keygen -l -E sha256 -f " + keyfile) + "\n", flush=True) - # Ignore invalid public keys - except: - pass -else: - print("No SSH server public keys are found.", flush=True) - -sys.exit(0) diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py new file mode 100755 index 000000000..c09b2166f --- /dev/null +++ b/src/op_mode/ssh.py @@ -0,0 +1,100 @@ +#!/usr/bin/env python3 +# +# Copyright 2017-2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +import json +import sys +import glob +import vyos.opmode +from vyos.utils.process import cmd +from vyos.configquery import ConfigTreeQuery +from tabulate import tabulate + +def show_fingerprints(raw: bool, ascii: bool): + config = ConfigTreeQuery() + if not config.exists("service ssh"): + raise vyos.opmode.UnconfiguredSubsystem("SSH server is not enabled.") + + publickeys = glob.glob("/etc/ssh/*.pub") + + if publickeys: + keys = [] + for keyfile in publickeys: + try: + if ascii: + keydata = cmd("ssh-keygen -l -v -E sha256 -f " + keyfile).splitlines() + else: + keydata = cmd("ssh-keygen -l -E sha256 -f " + keyfile).splitlines() + type = keydata[0].split(None)[-1].strip("()") + key_size = keydata[0].split(None)[0] + fingerprint = keydata[0].split(None)[1] + comment = keydata[0].split(None)[2:-1][0] + if ascii: + ascii_art = "\n".join(keydata[1:]) + keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment, "ascii_art": ascii_art}) + else: + keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment}) + except: + # Ignore invalid public keys + pass + if raw: + return keys + else: + headers = {"type": "Type", "key_size": "Key Size", "fingerprint": "Fingerprint", "comment": "Comment", "ascii_art": "ASCII Art"} + output = "SSH server public key fingerprints:\n\n" + tabulate(keys, headers=headers, tablefmt="simple") + return output + else: + if raw: + return [] + else: + return "No SSH server public keys are found." + +def show_dynamic_protection(raw: bool): + config = ConfigTreeQuery() + if not config.exists("service ssh dynamic-protection"): + raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.") + + attackers = [] + try: + # IPv4 + attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + try: + # IPv6 + attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + if attackers: + if raw: + return attackers + else: + output = "Blocked attackers:\n" + "\n".join(attackers) + return output + else: + if raw: + return [] + else: + return "No blocked attackers." + +if __name__ == '__main__': + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) |