From e3f6196ffc904b6bfe349bac6dfb396c17535494 Mon Sep 17 00:00:00 2001
From: JeffWDH <jeffwdh@github.com>
Date: Sat, 28 Oct 2023 09:42:07 -0400
Subject: T5661: Add show ssh dynamic-protection and show log ssh
 dynamic-protection

---
 op-mode-definitions/show-log.xml.in | 12 ++++++++++--
 op-mode-definitions/show-ssh.xml.in |  6 ++++++
 src/op_mode/ssh.py                  | 38 +++++++++++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index 747622db6..a54d28288 100644
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -398,12 +398,20 @@
             </properties>
             <command>journalctl --no-hostname --boot --unit snmpd.service</command>
           </leafNode>
-          <leafNode name="ssh">
+          <node name="ssh">
             <properties>
               <help>Show log for Secure Shell (SSH)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit ssh.service</command>
-          </leafNode>
+            <children>
+              <node name="dynamic-protection">
+                <properties>
+                  <help>Show dynamic-protection log</help>
+                </properties>
+                <command>journalctl --no-hostname -p info -t sshguard -o short</command>
+              </node>
+            </children>
+          </node>
           <tagNode name="tail">
             <properties>
               <help>Show last n changes to messages</help>
diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in
index 7b72739c4..88faecada 100644
--- a/op-mode-definitions/show-ssh.xml.in
+++ b/op-mode-definitions/show-ssh.xml.in
@@ -7,6 +7,12 @@
           <help>Show SSH server information</help>
         </properties>
         <children>
+          <node name="dynamic-protection">
+            <properties>
+              <help>Show SSH server dynamic-protection blocked attackers</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command>
+          </node>
           <node name="fingerprints">
             <properties>
               <help>Show SSH server public key fingerprints</help>
diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py
index 4de9521b5..89db7b3d3 100755
--- a/src/op_mode/ssh.py
+++ b/src/op_mode/ssh.py
@@ -15,6 +15,7 @@
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 
+import json
 import sys
 import glob
 import vyos.opmode
@@ -60,3 +61,40 @@ def show_fingerprints(raw: bool, ascii: bool):
             return []
         else:
             return "No SSH server public keys are found."
+
+def show_dynamic_protection(raw: bool):
+    config = ConfigTreeQuery()
+    if not config.exists("service ssh dynamic-protection"):
+        raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.")
+
+    attackers = []
+    try:
+        # IPv4
+        attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
+    except:
+        pass
+    try:
+        # IPv6
+        attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
+    except:
+        pass
+    if attackers:
+        if raw:
+            return attackers
+        else:
+            output = "Blocked attackers:\n" + "\n".join(attackers)
+            return output
+    else:
+        if raw:
+            return []
+        else:
+            return "No blocked attackers."
+
+if __name__ == '__main__':
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)
-- 
cgit v1.2.3


From 963fd35e9f9e62b013fe61d4e57496abf5ad2f38 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sun, 29 Oct 2023 08:07:06 +0100
Subject: op-mode: T5661: use common journalctl syntax for sshguard

This makes the code more easy to maintain in the future if everyone uses the
same structure when calling journalctl.

(cherry picked from commit e1b4e972b40941acec76c97e714767214cefe426)
---
 op-mode-definitions/show-log.xml.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index a54d28288..08d5ae11a 100644
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -406,9 +406,9 @@
             <children>
               <node name="dynamic-protection">
                 <properties>
-                  <help>Show dynamic-protection log</help>
+                  <help>Show SSH guard log</help>
                 </properties>
-                <command>journalctl --no-hostname -p info -t sshguard -o short</command>
+                <command>journalctl --no-hostname --boot --unit sshguard.service</command>
               </node>
             </children>
           </node>
-- 
cgit v1.2.3


From b34b1992a65e519af0aed5ad43b1d60e6d1f7af5 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sun, 29 Oct 2023 08:08:02 +0100
Subject: op-mode: T5661: remove call to sudo in ssh.py and move it to XML
 definition

Try to have as few calls to sudo in the op-mode scripts as possible. The XML
definitions can deal with it.

(cherry picked from commit 428dee29d36cc3629990ec41afef887821886834)
---
 op-mode-definitions/show-ssh.xml.in | 2 +-
 src/op_mode/ssh.py                  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in
index 88faecada..ca8e669b3 100644
--- a/op-mode-definitions/show-ssh.xml.in
+++ b/op-mode-definitions/show-ssh.xml.in
@@ -11,7 +11,7 @@
             <properties>
               <help>Show SSH server dynamic-protection blocked attackers</help>
             </properties>
-            <command>${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command>
+            <command>sudo ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command>
           </node>
           <node name="fingerprints">
             <properties>
diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py
index 89db7b3d3..acb066144 100755
--- a/src/op_mode/ssh.py
+++ b/src/op_mode/ssh.py
@@ -64,18 +64,18 @@ def show_fingerprints(raw: bool, ascii: bool):
 
 def show_dynamic_protection(raw: bool):
     config = ConfigTreeQuery()
-    if not config.exists("service ssh dynamic-protection"):
+    if not config.exists(['service', 'ssh', 'dynamic-protection']):
         raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.")
 
     attackers = []
     try:
         # IPv4
-        attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
+        attackers = attackers + json.loads(cmd("nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
     except:
         pass
     try:
         # IPv6
-        attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
+        attackers = attackers + json.loads(cmd("nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
     except:
         pass
     if attackers:
-- 
cgit v1.2.3


From 57000d752c610984c2074ad8cd2fa2d346794ba9 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sun, 29 Oct 2023 08:08:56 +0100
Subject: op-mode: T5661: add "monitor ssh dynamic-protection" command to
 follow the logfile

(cherry picked from commit 78e00bf4099bfac2164ef2075acce8169c40c9c3)
---
 op-mode-definitions/monitor-log.xml.in | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in
index 52b5b85d4..ee066b39b 100644
--- a/op-mode-definitions/monitor-log.xml.in
+++ b/op-mode-definitions/monitor-log.xml.in
@@ -274,12 +274,20 @@
             </properties>
             <command>journalctl --no-hostname --boot --follow --unit snmpd.service</command>
           </leafNode>
-          <leafNode name="ssh">
+          <node name="ssh">
             <properties>
               <help>Monitor last lines of Secure Shell log</help>
             </properties>
             <command>journalctl --no-hostname --boot --follow --unit ssh.service</command>
-          </leafNode>
+            <children>
+              <node name="dynamic-protection">
+                <properties>
+                  <help>Monitor last lines of SSH guard log</help>
+                </properties>
+                <command>journalctl --no-hostname --boot --follow --unit sshguard.service</command>
+              </node>
+            </children>
+          </node>
           <leafNode name="vpn">
             <properties>
               <help>Monitor last lines of ALL Virtual Private Network services</help>
-- 
cgit v1.2.3