diff options
-rw-r--r-- | op-mode-definitions/monitor-log.xml.in | 12 | ||||
-rw-r--r-- | op-mode-definitions/show-log.xml.in | 12 | ||||
-rw-r--r-- | op-mode-definitions/show-ssh.xml.in | 10 | ||||
-rw-r--r-- | src/op_mode/show-ssh-fingerprints.py | 49 | ||||
-rwxr-xr-x | src/op_mode/ssh.py | 100 |
5 files changed, 128 insertions, 55 deletions
diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in index 52b5b85d4..ee066b39b 100644 --- a/op-mode-definitions/monitor-log.xml.in +++ b/op-mode-definitions/monitor-log.xml.in @@ -274,12 +274,20 @@ </properties> <command>journalctl --no-hostname --boot --follow --unit snmpd.service</command> </leafNode> - <leafNode name="ssh"> + <node name="ssh"> <properties> <help>Monitor last lines of Secure Shell log</help> </properties> <command>journalctl --no-hostname --boot --follow --unit ssh.service</command> - </leafNode> + <children> + <node name="dynamic-protection"> + <properties> + <help>Monitor last lines of SSH guard log</help> + </properties> + <command>journalctl --no-hostname --boot --follow --unit sshguard.service</command> + </node> + </children> + </node> <leafNode name="vpn"> <properties> <help>Monitor last lines of ALL Virtual Private Network services</help> diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index a2a210543..39d69c64e 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -618,12 +618,20 @@ </properties> <command>journalctl --no-hostname --boot --unit snmpd.service</command> </leafNode> - <leafNode name="ssh"> + <node name="ssh"> <properties> <help>Show log for Secure Shell (SSH)</help> </properties> <command>journalctl --no-hostname --boot --unit ssh.service</command> - </leafNode> + <children> + <node name="dynamic-protection"> + <properties> + <help>Show SSH guard log</help> + </properties> + <command>journalctl --no-hostname --boot --unit sshguard.service</command> + </node> + </children> + </node> <tagNode name="tail"> <properties> <help>Show last n changes to messages</help> diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in index dc6e0d02e..ca8e669b3 100644 --- a/op-mode-definitions/show-ssh.xml.in +++ b/op-mode-definitions/show-ssh.xml.in @@ -7,17 +7,23 @@ <help>Show SSH server information</help> </properties> <children> + <node name="dynamic-protection"> + <properties> + <help>Show SSH server dynamic-protection blocked attackers</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command> + </node> <node name="fingerprints"> <properties> <help>Show SSH server public key fingerprints</help> </properties> - <command>${vyos_op_scripts_dir}/show-ssh-fingerprints.py</command> + <command>${vyos_op_scripts_dir}/ssh.py show_fingerprints</command> <children> <node name="ascii"> <properties> <help>Show visual ASCII art representation of the public key</help> </properties> - <command>${vyos_op_scripts_dir}/show-ssh-fingerprints.py --ascii</command> + <command>${vyos_op_scripts_dir}/ssh.py show_fingerprints --ascii</command> </node> </children> </node> diff --git a/src/op_mode/show-ssh-fingerprints.py b/src/op_mode/show-ssh-fingerprints.py deleted file mode 100644 index 913baae46..000000000 --- a/src/op_mode/show-ssh-fingerprints.py +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright 2017-2023 VyOS maintainers and contributors <maintainers@vyos.io> -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see <http://www.gnu.org/licenses/>. - -import sys -import glob -import argparse -from vyos.utils.process import cmd - -# Parse command line -parser = argparse.ArgumentParser() -parser.add_argument("--ascii", help="Show visual ASCII art representation of the public key", action="store_true") -args = parser.parse_args() - -# Get list of server public keys -publickeys = glob.glob("/etc/ssh/*.pub") - -if publickeys: - print("SSH server public key fingerprints:\n", flush=True) - for keyfile in publickeys: - if args.ascii: - try: - print(cmd("ssh-keygen -l -v -E sha256 -f " + keyfile) + "\n", flush=True) - # Ignore invalid public keys - except: - pass - else: - try: - print(cmd("ssh-keygen -l -E sha256 -f " + keyfile) + "\n", flush=True) - # Ignore invalid public keys - except: - pass -else: - print("No SSH server public keys are found.", flush=True) - -sys.exit(0) diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py new file mode 100755 index 000000000..102becc55 --- /dev/null +++ b/src/op_mode/ssh.py @@ -0,0 +1,100 @@ +#!/usr/bin/env python3 +# +# Copyright 2017-2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +import json +import sys +import glob +import vyos.opmode +from vyos.utils.process import cmd +from vyos.configquery import ConfigTreeQuery +from tabulate import tabulate + +def show_fingerprints(raw: bool, ascii: bool): + config = ConfigTreeQuery() + if not config.exists("service ssh"): + raise vyos.opmode.UnconfiguredSubsystem("SSH server is not enabled.") + + publickeys = glob.glob("/etc/ssh/*.pub") + + if publickeys: + keys = [] + for keyfile in publickeys: + try: + if ascii: + keydata = cmd("ssh-keygen -l -v -E sha256 -f " + keyfile).splitlines() + else: + keydata = cmd("ssh-keygen -l -E sha256 -f " + keyfile).splitlines() + type = keydata[0].split(None)[-1].strip("()") + key_size = keydata[0].split(None)[0] + fingerprint = keydata[0].split(None)[1] + comment = keydata[0].split(None)[2:-1][0] + if ascii: + ascii_art = "\n".join(keydata[1:]) + keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment, "ascii_art": ascii_art}) + else: + keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment}) + except: + # Ignore invalid public keys + pass + if raw: + return keys + else: + headers = {"type": "Type", "key_size": "Key Size", "fingerprint": "Fingerprint", "comment": "Comment", "ascii_art": "ASCII Art"} + output = "SSH server public key fingerprints:\n\n" + tabulate(keys, headers=headers, tablefmt="simple") + return output + else: + if raw: + return [] + else: + return "No SSH server public keys are found." + +def show_dynamic_protection(raw: bool): + config = ConfigTreeQuery() + if not config.exists(['service', 'ssh', 'dynamic-protection']): + raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.") + + attackers = [] + try: + # IPv4 + attackers = attackers + json.loads(cmd("nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + try: + # IPv6 + attackers = attackers + json.loads(cmd("nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + if attackers: + if raw: + return attackers + else: + output = "Blocked attackers:\n" + "\n".join(attackers) + return output + else: + if raw: + return [] + else: + return "No blocked attackers." + +if __name__ == '__main__': + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) |