summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--op-mode-definitions/monitor-log.xml.in12
-rw-r--r--op-mode-definitions/show-log.xml.in12
-rw-r--r--op-mode-definitions/show-ssh.xml.in10
-rw-r--r--src/op_mode/show-ssh-fingerprints.py49
-rwxr-xr-xsrc/op_mode/ssh.py100
5 files changed, 128 insertions, 55 deletions
diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in
index 52b5b85d4..ee066b39b 100644
--- a/op-mode-definitions/monitor-log.xml.in
+++ b/op-mode-definitions/monitor-log.xml.in
@@ -274,12 +274,20 @@
</properties>
<command>journalctl --no-hostname --boot --follow --unit snmpd.service</command>
</leafNode>
- <leafNode name="ssh">
+ <node name="ssh">
<properties>
<help>Monitor last lines of Secure Shell log</help>
</properties>
<command>journalctl --no-hostname --boot --follow --unit ssh.service</command>
- </leafNode>
+ <children>
+ <node name="dynamic-protection">
+ <properties>
+ <help>Monitor last lines of SSH guard log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot --follow --unit sshguard.service</command>
+ </node>
+ </children>
+ </node>
<leafNode name="vpn">
<properties>
<help>Monitor last lines of ALL Virtual Private Network services</help>
diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index a2a210543..39d69c64e 100644
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -618,12 +618,20 @@
</properties>
<command>journalctl --no-hostname --boot --unit snmpd.service</command>
</leafNode>
- <leafNode name="ssh">
+ <node name="ssh">
<properties>
<help>Show log for Secure Shell (SSH)</help>
</properties>
<command>journalctl --no-hostname --boot --unit ssh.service</command>
- </leafNode>
+ <children>
+ <node name="dynamic-protection">
+ <properties>
+ <help>Show SSH guard log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot --unit sshguard.service</command>
+ </node>
+ </children>
+ </node>
<tagNode name="tail">
<properties>
<help>Show last n changes to messages</help>
diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in
index dc6e0d02e..ca8e669b3 100644
--- a/op-mode-definitions/show-ssh.xml.in
+++ b/op-mode-definitions/show-ssh.xml.in
@@ -7,17 +7,23 @@
<help>Show SSH server information</help>
</properties>
<children>
+ <node name="dynamic-protection">
+ <properties>
+ <help>Show SSH server dynamic-protection blocked attackers</help>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command>
+ </node>
<node name="fingerprints">
<properties>
<help>Show SSH server public key fingerprints</help>
</properties>
- <command>${vyos_op_scripts_dir}/show-ssh-fingerprints.py</command>
+ <command>${vyos_op_scripts_dir}/ssh.py show_fingerprints</command>
<children>
<node name="ascii">
<properties>
<help>Show visual ASCII art representation of the public key</help>
</properties>
- <command>${vyos_op_scripts_dir}/show-ssh-fingerprints.py --ascii</command>
+ <command>${vyos_op_scripts_dir}/ssh.py show_fingerprints --ascii</command>
</node>
</children>
</node>
diff --git a/src/op_mode/show-ssh-fingerprints.py b/src/op_mode/show-ssh-fingerprints.py
deleted file mode 100644
index 913baae46..000000000
--- a/src/op_mode/show-ssh-fingerprints.py
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright 2017-2023 VyOS maintainers and contributors <maintainers@vyos.io>
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library. If not, see <http://www.gnu.org/licenses/>.
-
-import sys
-import glob
-import argparse
-from vyos.utils.process import cmd
-
-# Parse command line
-parser = argparse.ArgumentParser()
-parser.add_argument("--ascii", help="Show visual ASCII art representation of the public key", action="store_true")
-args = parser.parse_args()
-
-# Get list of server public keys
-publickeys = glob.glob("/etc/ssh/*.pub")
-
-if publickeys:
- print("SSH server public key fingerprints:\n", flush=True)
- for keyfile in publickeys:
- if args.ascii:
- try:
- print(cmd("ssh-keygen -l -v -E sha256 -f " + keyfile) + "\n", flush=True)
- # Ignore invalid public keys
- except:
- pass
- else:
- try:
- print(cmd("ssh-keygen -l -E sha256 -f " + keyfile) + "\n", flush=True)
- # Ignore invalid public keys
- except:
- pass
-else:
- print("No SSH server public keys are found.", flush=True)
-
-sys.exit(0)
diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py
new file mode 100755
index 000000000..102becc55
--- /dev/null
+++ b/src/op_mode/ssh.py
@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+#
+# Copyright 2017-2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+import json
+import sys
+import glob
+import vyos.opmode
+from vyos.utils.process import cmd
+from vyos.configquery import ConfigTreeQuery
+from tabulate import tabulate
+
+def show_fingerprints(raw: bool, ascii: bool):
+ config = ConfigTreeQuery()
+ if not config.exists("service ssh"):
+ raise vyos.opmode.UnconfiguredSubsystem("SSH server is not enabled.")
+
+ publickeys = glob.glob("/etc/ssh/*.pub")
+
+ if publickeys:
+ keys = []
+ for keyfile in publickeys:
+ try:
+ if ascii:
+ keydata = cmd("ssh-keygen -l -v -E sha256 -f " + keyfile).splitlines()
+ else:
+ keydata = cmd("ssh-keygen -l -E sha256 -f " + keyfile).splitlines()
+ type = keydata[0].split(None)[-1].strip("()")
+ key_size = keydata[0].split(None)[0]
+ fingerprint = keydata[0].split(None)[1]
+ comment = keydata[0].split(None)[2:-1][0]
+ if ascii:
+ ascii_art = "\n".join(keydata[1:])
+ keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment, "ascii_art": ascii_art})
+ else:
+ keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment})
+ except:
+ # Ignore invalid public keys
+ pass
+ if raw:
+ return keys
+ else:
+ headers = {"type": "Type", "key_size": "Key Size", "fingerprint": "Fingerprint", "comment": "Comment", "ascii_art": "ASCII Art"}
+ output = "SSH server public key fingerprints:\n\n" + tabulate(keys, headers=headers, tablefmt="simple")
+ return output
+ else:
+ if raw:
+ return []
+ else:
+ return "No SSH server public keys are found."
+
+def show_dynamic_protection(raw: bool):
+ config = ConfigTreeQuery()
+ if not config.exists(['service', 'ssh', 'dynamic-protection']):
+ raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.")
+
+ attackers = []
+ try:
+ # IPv4
+ attackers = attackers + json.loads(cmd("nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
+ except:
+ pass
+ try:
+ # IPv6
+ attackers = attackers + json.loads(cmd("nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
+ except:
+ pass
+ if attackers:
+ if raw:
+ return attackers
+ else:
+ output = "Blocked attackers:\n" + "\n".join(attackers)
+ return output
+ else:
+ if raw:
+ return []
+ else:
+ return "No blocked attackers."
+
+if __name__ == '__main__':
+ try:
+ res = vyos.opmode.run(sys.modules[__name__])
+ if res:
+ print(res)
+ except (ValueError, vyos.opmode.Error) as e:
+ print(e)
+ sys.exit(1)