From 8cdf6eb47052445cde3b4f22e422afa9422a9a73 Mon Sep 17 00:00:00 2001 From: JeffWDH Date: Sat, 21 Oct 2023 14:29:05 -0400 Subject: T5661: Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection --- op-mode-definitions/show-log.xml.in | 12 ++++- op-mode-definitions/show-ssh.xml.in | 10 +++- src/op_mode/show-ssh-fingerprints.py | 49 ----------------- src/op_mode/ssh.py | 100 +++++++++++++++++++++++++++++++++++ 4 files changed, 118 insertions(+), 53 deletions(-) delete mode 100644 src/op_mode/show-ssh-fingerprints.py create mode 100755 src/op_mode/ssh.py diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index a2a210543..dcfede991 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -618,12 +618,20 @@ journalctl --no-hostname --boot --unit snmpd.service - + Show log for Secure Shell (SSH) journalctl --no-hostname --boot --unit ssh.service - + + + + Show dynamic-protection log + + journalctl --no-hostname -p info -t sshguard -o short + + + Show last n changes to messages diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in index dc6e0d02e..88faecada 100644 --- a/op-mode-definitions/show-ssh.xml.in +++ b/op-mode-definitions/show-ssh.xml.in @@ -7,17 +7,23 @@ Show SSH server information + + + Show SSH server dynamic-protection blocked attackers + + ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection + Show SSH server public key fingerprints - ${vyos_op_scripts_dir}/show-ssh-fingerprints.py + ${vyos_op_scripts_dir}/ssh.py show_fingerprints Show visual ASCII art representation of the public key - ${vyos_op_scripts_dir}/show-ssh-fingerprints.py --ascii + ${vyos_op_scripts_dir}/ssh.py show_fingerprints --ascii diff --git a/src/op_mode/show-ssh-fingerprints.py b/src/op_mode/show-ssh-fingerprints.py deleted file mode 100644 index 913baae46..000000000 --- a/src/op_mode/show-ssh-fingerprints.py +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright 2017-2023 VyOS maintainers and contributors -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see . - -import sys -import glob -import argparse -from vyos.utils.process import cmd - -# Parse command line -parser = argparse.ArgumentParser() -parser.add_argument("--ascii", help="Show visual ASCII art representation of the public key", action="store_true") -args = parser.parse_args() - -# Get list of server public keys -publickeys = glob.glob("/etc/ssh/*.pub") - -if publickeys: - print("SSH server public key fingerprints:\n", flush=True) - for keyfile in publickeys: - if args.ascii: - try: - print(cmd("ssh-keygen -l -v -E sha256 -f " + keyfile) + "\n", flush=True) - # Ignore invalid public keys - except: - pass - else: - try: - print(cmd("ssh-keygen -l -E sha256 -f " + keyfile) + "\n", flush=True) - # Ignore invalid public keys - except: - pass -else: - print("No SSH server public keys are found.", flush=True) - -sys.exit(0) diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py new file mode 100755 index 000000000..c09b2166f --- /dev/null +++ b/src/op_mode/ssh.py @@ -0,0 +1,100 @@ +#!/usr/bin/env python3 +# +# Copyright 2017-2023 VyOS maintainers and contributors +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see . + +import json +import sys +import glob +import vyos.opmode +from vyos.utils.process import cmd +from vyos.configquery import ConfigTreeQuery +from tabulate import tabulate + +def show_fingerprints(raw: bool, ascii: bool): + config = ConfigTreeQuery() + if not config.exists("service ssh"): + raise vyos.opmode.UnconfiguredSubsystem("SSH server is not enabled.") + + publickeys = glob.glob("/etc/ssh/*.pub") + + if publickeys: + keys = [] + for keyfile in publickeys: + try: + if ascii: + keydata = cmd("ssh-keygen -l -v -E sha256 -f " + keyfile).splitlines() + else: + keydata = cmd("ssh-keygen -l -E sha256 -f " + keyfile).splitlines() + type = keydata[0].split(None)[-1].strip("()") + key_size = keydata[0].split(None)[0] + fingerprint = keydata[0].split(None)[1] + comment = keydata[0].split(None)[2:-1][0] + if ascii: + ascii_art = "\n".join(keydata[1:]) + keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment, "ascii_art": ascii_art}) + else: + keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment}) + except: + # Ignore invalid public keys + pass + if raw: + return keys + else: + headers = {"type": "Type", "key_size": "Key Size", "fingerprint": "Fingerprint", "comment": "Comment", "ascii_art": "ASCII Art"} + output = "SSH server public key fingerprints:\n\n" + tabulate(keys, headers=headers, tablefmt="simple") + return output + else: + if raw: + return [] + else: + return "No SSH server public keys are found." + +def show_dynamic_protection(raw: bool): + config = ConfigTreeQuery() + if not config.exists("service ssh dynamic-protection"): + raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.") + + attackers = [] + try: + # IPv4 + attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + try: + # IPv6 + attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + if attackers: + if raw: + return attackers + else: + output = "Blocked attackers:\n" + "\n".join(attackers) + return output + else: + if raw: + return [] + else: + return "No blocked attackers." + +if __name__ == '__main__': + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) -- cgit v1.2.3