From e3f6196ffc904b6bfe349bac6dfb396c17535494 Mon Sep 17 00:00:00 2001 From: JeffWDH Date: Sat, 28 Oct 2023 09:42:07 -0400 Subject: T5661: Add show ssh dynamic-protection and show log ssh dynamic-protection --- op-mode-definitions/show-log.xml.in | 12 ++++++++++-- op-mode-definitions/show-ssh.xml.in | 6 ++++++ src/op_mode/ssh.py | 38 +++++++++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 2 deletions(-) diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index 747622db6..a54d28288 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -398,12 +398,20 @@ journalctl --no-hostname --boot --unit snmpd.service - + Show log for Secure Shell (SSH) journalctl --no-hostname --boot --unit ssh.service - + + + + Show dynamic-protection log + + journalctl --no-hostname -p info -t sshguard -o short + + + Show last n changes to messages diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in index 7b72739c4..88faecada 100644 --- a/op-mode-definitions/show-ssh.xml.in +++ b/op-mode-definitions/show-ssh.xml.in @@ -7,6 +7,12 @@ Show SSH server information + + + Show SSH server dynamic-protection blocked attackers + + ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection + Show SSH server public key fingerprints diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py index 4de9521b5..89db7b3d3 100755 --- a/src/op_mode/ssh.py +++ b/src/op_mode/ssh.py @@ -15,6 +15,7 @@ # You should have received a copy of the GNU Lesser General Public # License along with this library. If not, see . +import json import sys import glob import vyos.opmode @@ -60,3 +61,40 @@ def show_fingerprints(raw: bool, ascii: bool): return [] else: return "No SSH server public keys are found." + +def show_dynamic_protection(raw: bool): + config = ConfigTreeQuery() + if not config.exists("service ssh dynamic-protection"): + raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.") + + attackers = [] + try: + # IPv4 + attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + try: + # IPv6 + attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"] + except: + pass + if attackers: + if raw: + return attackers + else: + output = "Blocked attackers:\n" + "\n".join(attackers) + return output + else: + if raw: + return [] + else: + return "No blocked attackers." + +if __name__ == '__main__': + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) -- cgit v1.2.3